The Apple and Android IDs of more than 10,000 children were left unprotected on Amazon cloud servers for months, reports ZDNet.
The data was found on one server run by Teensafe, which makes an app parents can use to monitor and control their child’s phone use.
Also exposed were plaintext passwords, parents’ email addresses as well as device names and unique identifiers.
The company shut the server down when it was told data was being exposed.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” Teensafe told ZDNnet.
The app maker has not yet responded to a request for a statement from the BBC.
The data-exposing server was found by security researcher Robbie Wiggins, who has previously found thousands of similarly misconfigured machines on Amazon Web Services.
In this case, he also found another poorly protected Teensafe server which had no important data on it.
ZDNet said the servers were left “unprotected and accessible by anyone without a password”. Data from more than 10,000 accounts was exposed on them.
Mr Wiggins told the BBC that the data was viewable because Teensafe had not put in place basic security measures, such as a firewall, to protect data.
The scan across AWS that turned up the Teensafe server also found machines run by other companies that had made the same mistakes, he said.
Teensafe describes its app, which is available for both iOS and Android, as a way to “securely” monitor smartphone use. Once installed, the app lets parents see text messages, numbers being called, websites visited and which apps are installed.
The company claims more than one million parents use its service.
Children’s phone data exposed on cloud server