The popular family tracking app Family Locator has for weeks exposed the real-time unencrypted location data of over 238,000 of its users.

The app which closely resembles the functionality of Apple’s ‘Find My Friends’ app, allows users to track family members and set up geofencing features which notify users when a family member, leaves work or arrives at school, for example.

Not for the first time this month, the data was left exposed thanks to an unprotected MongoDB database which allowed anyone who knew the exact details of the server to access the information, according to TechCrunch.

The exposed database was found by Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit which detects and analyses criminal opportunities and shares them publicly.

None of the data found on the database was encrypted: name, email address, profile photo and plaintext passwords were easily accessible and geofenced locations were visible along with the assigned name. It would be effortless to not only know the user’s location but also where they lived, worked and where their children were schooled.

“Unfortunately, this is yet another case where unprofessional handling of technology has led to data leakage,” said Boris Cipot, senior security engineer at Synopsys.

“A serious misconduct such as this should not happen but, as we often see, they do and usually they happen if and when security procedures are not implemented correctly or disregarded,” he said. “Security should not be taken lightly especially when you are working with data that someone entrusted you with.” 

The developer of Family Locator React Apps has been unresponsive to approaches from the media. TechCrunch tried to contact the company for over a week but its website had no contact information and the record from the Australian Securities and Investments Commission returned only a name of the company’s owner.

The database was later pulled offline by Microsoft as it was hosted on its Azure cloud but it’s unknown for how long the database was left exposed.

MongoDB earlier this month was at fault for another data breach; researcher Bob Diachenko discovered the unprotected database containing 809 million email records, many of which contained personally identifiable information.

Matters got worse when security company DynaRisk confirmed that the number of leaked records was actually three times higher than first thought, the real number stood at over two billion.

Most records contained surnames, email addresses, gender information, postcode and IP addresses for each entry. The records were cross-checked with the popular HaveIBeenPwned website which showed the data had not been previously found in a data breach, meaning this discovery was new and the affected people had not been the subject of a data breach previously.