A smartphone monitoring service designed to allow parents to track teenagers has been found to have exposed passwords, in plain text no less, on a publicly available Amazon Web Service’s S3 storage instance.

First reported by ZDNet, the data breach relates to a service provided by TeenSafe Inc., a seven-year-old Santa Monica, California-based company that promises to help parents protect their children.

The company’s only product, an app available for iOS and Android that tracks everything a child does and sends the data sent back to a cloud server for parents to view, is pitched as helping parents detect the hidden dangers lurking inside their child’s smartphone. “Whether your child uses an iPhone or Android device, TeenSafe can help you keep tabs on what they are doing, who they are talking to and where they are,” the product page notes.

The data on the AWS instance, or unit of storage, included parents’ email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address; the child’s device name and unique identifier; and plaintext passwords for the child’s Apple ID.

For the kicker, the app, which the company claims is used by more than 1 million parents, requires that two-factor authentication be turned off. That means that if hackers did get their hands on the data, both gaining access to an account and stealing the data would be dead easy.

The report doesn’t say whether the data had been accessed a malicious actor and fortunately there were only 10,200 records found, a small portion of the claimed customer base of 1 million. The company said it has taken the data offline and said that it had “begun alerting customers that could potentially be impacted.”

It’s easy to say that this is just another AWS S3 misconfiguration, but the only good news is that after constant exposure last year of this type of problem, the message that it’s important to secure online cloud storage, particularly AWS instances, may be finally getting through.

That said, it’s only May 20 and the year still has a long way to go. Only this week, data relating to as many as 3.5 million Los Angeles County residents were found on an AWS S3 instance in nearly identical circumstances. According to Govtech.com, the data consisted of at least 396,000 contact emails and 33,000 Social Security numbers.

Others this year to have exposed data the same way include FedEx Corp., BJC Healthcare and Octoly.

Image: TeenSafe