uKnowKids is a child tracker marketed to parents as a way to keep their children safe by tracking their online activities including social media posts and mobile device usage. Security researcher Chris Vickery has discovered a misconfigured database at the company which exposed the information of over 1700 children, including “6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles. This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more.”

Vickery contacted the company and was initially thanked for his report by uKnowKids’ CEO, Steve Woda, who wrote, “Thank you again for alerting me to the data security breach that you discovered. I am super sensitive to ANY and EVERY security vulnerability (and in this case, breach), and so I am very, very thankful for your note…” Despite thanking Vickery in private emails, the CEO had less than kind words over the phone: “Steve Woda tried all manner of intimidation tactics against me. I can only assume that this is because he doesn’t want anyone reporting on the incident.” Then in a public statement uKnowKids itself claimed “a uKnow databased was breached by a hacker,” and a Twitter post from the company stated, “I want to share some breaking news with you about a data breach that we discovered…” 

The database in question was online for at least 48 days before Vickery discovered it using the Shodan search engine. Shodan is a search engine which allows users to search internet-connected devices and has previously been used to highlight similar vulnerabilities. Shodan recently made headlines as it allows users to search unprotected webcam video feeds. According to Vickery, the uKnowKids database was not protected from public access, “requiring no level of authentication or password and providing no protection at all for this data.”

Vickery has a history of exposing database vulnerabilities using Shodan. Late last year he reported a database of US voter data which was similarly exposed online. He has also previously reported a breach in the MacKeeper software utility which exposed the usernames and passwords of over 13 million customers. As a response to the breach, MacKeeper hired Vickery. Respected tech blogger Brian Krebs has referred to him as “IT helpdesk guy by day and security researcher by night,” a contrast to uKnowKids’ characterization of him as a “hacker” who “claims to be a "white-hat" hacker which means he tries to obtain unauthorized access into private systems for the benefit of the "public good." (Note the sarcastic air quotes.) 

In the same Krebs story, Vickery acknowledges the risks of testing corporate systems for vulnerabilities and reporting such matters: “Asked whether he’s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he’s not concerned… I’ve made peace with that and you can’t live your life in fear,” he said. “I feel pretty confident that if you configure a server for public access — without authentication — and it gets publicly accessed, that’s not a crime.” 

Ironically, parents who used the uKnowKids service to monitor their kids' online behavior ended up placing them at risk.