FarFaria, an online app that offers fairy tales for kids two to nine years old, has been found to expose the details of its 2.9 million users.

Discovered and detailed today byBob Diachenko, the head of security research at Comparitech, the data was open to all and sundry on a misconfigured MongoDB database. The data exposed included email addresses, authentication tokens, sign-in info and social media information.

Diachenko noted that he discovered the exposed database on Aug. 9 and tried to contact the company but received no response. FarFaria is a venture capital-backed company, having raised $3.3 million from Inventus Capital Partners, according to Crunchbase.

SiliconANGLE has asked for comment from FarFaria and Inventus Capital Partners and will update this post if responses are forthcoming.

“There is an incredible amount of cyber risk involved with today’s younger generation, as children are increasingly using the internet for their education and activities,” Robert Prigge, chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “With 2.9 million FarFaria user records exposed, it’s likely the information has already been leaked on the dark web, placing children in greater danger of being victimized online from a much younger age than previous generations.”

Prigge went on to explain that although the passwords were encrypted, fraudsters can easily decipher encrypted passwords. In doing so, they can “leverage bots and credential stuffing in an attempt to access other online accounts, such as school platforms, social media accounts, learning applications and more.”

Anurag Kahol, chief technology officer and co-founder of total cloud security firm Bitglass Inc., noted that this is yet another example where a massive amount of personally identifiable information has been left exposed on the web without any authentication controls in place.

“Children are particularly at risk, as their exposed data can be easily stolen by threat actors and leveraged to commit identity theft or conduct highly targeted phishing schemes,” Kahol said. “When creating accounts for their children, parents should be able to trust that their data will be protected, which can only be done when businesses take a proactive approach to security.”

Image: FarFaria