KidSecurity’s user data compromised after app failed to set password

KidSecurity, a popular parental control app that’s used to track children, has exposed its activity logs, leaving users' private data in the hands of threat actors.

With more than a million downloads on Google Play, KidSecurity provides parents with services to track their children's location, listen to the sounds around the child to ensure safety, and set gaming limits.

On September 16th, researchers discovered that the app failed to configure authentication for Elasticsearch and Logstash collections.

Elasticsearch and Logstash are commonly used tools for logs and event data analysis. Elasticsearch is employed to search, analyze, and visualize large volumes of data. Logstash is a data processing pipeline that collects, processes and forwards events and logs data.

Due to KidSecurity’s oversight, user activity logs were left publicly available to anyone on the internet for more than a month, according to estimates.

Data sample
Sample of the leaked data.

The open instance contained over 300 million records with private user data, including 21,000 telephone numbers and 31,000 email addresses. The app’s logs also laid bare users' payment information, exposing the first six and last four digits of credit cards, expiration month and year, and the issuing bank.

Open Elasticsearch instances without adequate security measures, such as authentication and access controls, are targeted by malicious actors seeking to exploit vulnerabilities.

There are indications that unknown threat actors compromised the leaked KidSecurity data. The open instance has been hit by the ‘Readme’ bot and was partially destroyed.

Open instances are constantly being hit by malicious botnets and get automatically destroyed. In the process, the ‘Readme’ file is injected into the Elasticsearch server, containing a ransom note and BTC address for the transfer in exchange for the files.

Data sample
Sample of the leaked data.

“The exposure of sensitive data, such as user emails, phone numbers, and payment information in a kids' tracking mobile application, is of paramount importance due to the potential risks it poses,” Bob Diachenko, who first identified the leak, told Cybernews.

“In the wrong hands, threat actors could misuse this information for identity theft, fraud, and unauthorized financial transactions, putting children and their families at significant risk. While location details were not exposed in this instance, the leak still represents a severe breach of privacy and security for the affected users.”

Cybernews has requested a comment but received no reply at the time of writing.