The mobile app, TeenSafe, bills itself as a “secure” monitoring
app for iOS and Android, which lets parents view their child’s
text messages and location, monitor who they’re calling and when,
access their web browsing history, and find out which apps they
have installed. […]
The database stores the parent’s email address associated with
TeenSafe, as well as their corresponding child’s Apple ID email
address. It also includes the child’s device name — which is
often just their name — and their device’s unique identifier. The
data contains the plaintext passwords for the child’s Apple ID.
Because the app requires that two-factor authentication is turned
off, a malicious actor viewing this data only needs to use the
credentials to break into the child’s account to access their
personal content data.