I want to share an update regarding what we have learned over the last few days about the database vulnerability that was discovered last week and that we publicly reported on Monday February 21, 2016.
Many details were unknown when we quickly made our initial announcement, and so we shared the basic facts as we knew them at the time. We have a lot more information that we can credibly share today.
As a reminder, we were contacted on February 17, 2016 at 12:20pm ET with notice of a database vulnerability.
We responded to the alert within 4 minutes, and patched the vulnerability within 90 minutes. Simultaneously, we initiated a forensics investigation to determine what had happened, what data was at risk, and who might have accessed that data. We also initiated a detailed scan of all our existing systems to ensure that there were no other known vulnerabilities. Finally, we thanked the “researcher” for his assistance, and asked him to permanently destroy all copies of our customer data and intellectual property including any screenshot copies.
The goal of the forensics investigation was to determine exactly what happened. I can report that we have thoroughly examined all available network, server and database log files, and I want to assure our customers that we now have a factual, substantive understanding of both the history and scope of the vulnerability.
The vulnerability was a single misconfigured data collection node within a cluster of databases (the other databases were properly configured and secured). The database node was a protected computer, as defined by law, residing on our private servers and implemented by a third-party service provider on our behalf. The authentication weakness left this database node vulnerable to exploitation by unauthorized parties.
The database node was located on a server instance that was deployed on December 28, 2015 at 6:17:40 PM ET. The database subsequently was created on the server instance on December 29, 2015 at 11:53am ET, and it appears that the database was introduced into production on or about January 15, 2016.
We have examined both the server log files and the database log files in exhaustive detail as well as network bytes in/out data of the server instance. In summary, there are four IP addresses of particular interest.
Two of the IP addresses are associated with credible sources that did not explore the data, and two of the IP addresses are associated with the person who notified us of the vulnerability. There is only one IP address that can be associated with abnormal bytes of in/out networking traffic.
In short, the single IP address appears to represent the only breach detectable within our network and database log files as well as all available network byte in/out traffic data. We do not believe, at this time, that any of our data was exploited with the single exception of the white hat hacker who initially notified us of the vulnerability.
We feel confident in the facts as presented to you thus far, and if new facts are discovered, we will responsibly share those as well.
Below is a summary of the vulnerable data on the database node:
|Unique Child Profiles
|Parent Email Addresses
|Child Email Addresses
|Credit Card Payment Information
|Data Channel Passwords
|Mobile Image URLs
|Social Network Image URLs
|Social Network Posts
|Social Network Tags
|Social Network Contacts
This summary excludes internal test and duplicate accounts, and is the definitive scope of the exposure.
The data vulnerability affected a tiny percentage of the families that have utilized uKnowKids to help protect their kids online and on the mobile phone, but any percentage above 0.000001% is too high.
We have shared the news of our data vulnerability with many hundreds of thousands of customers, followers, and friends, and the unbelievable volume of supportive, thankful, and thoughtful responses has been both overwhelming and humbling. Thank you for your trust, confidence and support.
Moving forward, we remain committed to and focused on the task at hand: helping moms and dads around the globe protect their kids online and on the mobile phone.
CEO, uKnow and uKnowKids
Breaking news... A uKnow database was breached by a hacker, and here are the facts as we know them right now - uKnowKids, February 21, 2016
uKnowKids defends response to data breach alert - BBC News, February 25, 2016