Child Tracker Website, uKnowKids, Admits Data Breach

• By Sydny Shepard
• Feb 25, 2016

A misconfigured database at uKnowKids, a child-tracker website, has exposed the data of 1,700 children, their person messages, social media profiles and images. More than 6.8 million private text messages, nearly 2 million images and more than 1,700 detailed child profiles were left exposed. These profiles include last names, email addresses, date of birth, GPS coordinates, social media credentials and more.  

The insecure MongoDM installation was online for seven weeks before a security researcher, Chris Vickery, discovered it and reported the issue to uKnowKids. The company responded promptly to tighten the security of its systems.

Steven Woda, chief executive of uKnowKids, admitted to the issue in an advisory to the customers while criticizing the motives of the researcher.

“The hacker claims to be a ‘white-hat’ hacker a ‘security researcher’ or ‘white hat hacker’ or ‘ethical hacker’ which means he tries to obtain unauthorized access into private systems for the benefit of the ‘public good,’” Woda said. “Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.”

Woda explained that any data breach affecting the subscribers was a very serious issue and the company would not plan to minimize the breach. Woda is also at battle with Vickery who is reluctant to comply with uKnowKids and delete any extracted information he obtained from the database.

“I securely wiped it within 48 hours and notified uKnowKids of this fact,” Vickery said. “However, the few retained screenshots are completely redacted of all Personally Identifiable Information and are being kept for purposes of credibility and to keep uKnowKids (minimally) honest in their claims."

uKnowKids is now working with the FTC to help make their databases more secure.