UKnowKids turns against researcher who found 1,700 children’s data was at risk

Child-focused security firm embroiled in row with security expert over insecure database

Open padlock key

Child-tracking app has accused a security researcher of "hacking" its systems after he warned it that its data was at risk.

Researcher Chris Vickery found that one of's databases was misconfigured on Monday, exposing 1,700 children's detailed profiles, including email addresses, full names, dates of birth and even GPS co-ordinates for nearly 50 days.

The at-risk data also included 6.8 million personal messages and nearly two million images, many of which were of children.

This data was stored on a MongoDB database configured for public access, and Vickery claimed he did not even need a password to access it.

Advertisement - Article continues below
Advertisement - Article continues below

"I don't know about you, but I would consider it not a 'reasonable procedure' to give the public open, unfettered access to a database containing detailed child information," the Kromtech security researcher wrote on MacKeeper.

Steve Woda, CEO of the child safety app company, acknowledged the problem in a blog, and said his technology team patched the vulnerability 90 minutes after Vickery notified him.

He added that the leak affected just 0.5 per cent of the children uKnowKids is charged with protecting.

But he also questioned Vickery's intentions, and wrote: "The hacker claims to be a white-hat' hacker which means he tries to obtain unauthorised access into private systems for the benefit of the public good'.

"We are doing our best to fully identify Mr. Vickery in order to validate his stated benign' intentions."

Woda wrote that Vickery notified uKnowKids of the data leak 12 minutes after downloading the database, having taken screenshots of business data and customer data.

Advertisement - Article continues below

The firm demanded that Vickery delete the downloads, which he did, but he has kept a number of screenshots, which he claimed to have redacted.

Speaking to CSOOnline, Vickery said he was holding onto the screenshots to ensure uKnowKids remains "(minimally) honest in their claims".

He said that Woda expressed fears in an email conversation with him that revealing the database insecurity could put uKnowKids out of business.

Woda's firm has reconfigured all encryption keys and data schemas to fend off cyber criminals, and has hired two security firms to help expose any other vulnerabilities in its systems. It also reported the breach to the Federal Trade Commission.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020