US childcare platform exposes 140K records, including minors' data
A misconfigured database left the personal details of parents and children from thousands of childcare centers exposed to anyone on the internet.
Cybernews researchers have discovered a publicly accessible Elasticsearch database leaking more than 140,000 records belonging to childcare and early education facilities.
The data appears to originate from LineLeader, a popular CRM platform used by preschools and daycare centers to manage enrollment, parent communications, and leads.
Texas-based tech company CRM Web Solutions LLC operates the platform. According to the company’s website, its platform is used by more than 9,000 childcare centers worldwide and supports approximately 200,000 monthly users.
What data did LineLeader expose?
- Full names
- Email addresses
- Phone numbers
Entire families at risk
The leaked database included records categorized as leads, inquiries, and children, strongly indicating that it belonged to an active CRM system, rather than an internal test environment.
The records exposed the PII of parents and children, raising huge safety concerns. The leaked data directly links parents to their children, putting entire families at risk of cyberattacks.
A dataset is a treasure trove for anyone looking to run convincing phishing scams, impersonate schools, or carry out identity theft.
A failure to properly secure such systems can spread mistrust among parents, expose children to long-term privacy risks, and result in regulatory scrutiny.
“For the childcare and early education sector, these findings highlight the critical responsibility both software vendors and their customers share when handling sensitive family data,” said the Cybernews research team.
Cybernews contacted the company and CERT with a responsible disclosure, and the instance has since been secured. The company has not provided an official response or comment on whether it has informed the affected childcare organizations and individuals.
A familiar but dangerous pattern
The leak was caused by a misconfigured Elasticsearch instance that was left publicly accessible without password protection.
This type of configuration error, when a company leaves its systems without a password, remains one of the most common causes of data leaks.
While unsecured databases are a recurring problem across industries, leaks involving children’s data are particularly alarming.
Previous research by Cybernews revealed that the same human error has led to many significant data leaks.
For example, in 2023, KidSecurity, a popular parental control app used to track children, exposed activity logs containing 300 million records of private user data after failing to secure access to its Elasticsearch database.
What’s more troublesome is that, at the time researchers discovered the exposed KidSecurity, there were indications that it had already been compromised by threat actors.
In 2024, the same app was found leaving a Kafka Broker Cluster without authentication, exposing a large amount of sensitive data collected from minors’ phones. The leaked data included GPS locations and private messages.
The Cybernews research team also discovered that IT company Appscook – which develops applications used by more than 600 schools in India and Sri Lanka for education management – leaked a staggering amount of sensitive data, including photos of minors, home addresses, and birth certificates, due to a misconfiguration of its systems.
Disclosure timeline
Leak discovered: September 8th, 2025
Initial disclosure: September 9th, 2025
CERT contacted: September 16th, 2025
Leak closed: December 5th, 2025
Unlock more exclusive Cybernews content on YouTube.
