According to Vickery a child tracking company called uKnowKids incorrectly installed one of their MongoDB databases and it left a lot of information about kids open to… well anyone that wanted them.
“In violation of the Children's Online Privacy Protection Act (COPPA), uKnowKids.com gave public access to over 6.8 million private text messages, nearly 2 million images (many depicting children), and more than 1,700 detailed child profiles. This includes first and last names, email addresses, dates of birth, gps coordinates, social media access credentials, and more.”
According to Vickery the database was open for 48 days at least. “There’s no way for me to know for sure how long this data was exposed to the public internet, although the information collected by Shodan.io suggests that the database had been up for at least 48 days. There’s also no way for me to know for sure how many people may have accessed the database during the exposed timeframe.”
This say that this is unacceptable is an understatement, but it actually gets worse. Vickery contacted uKnowKids about the issue and instead of them being grateful for him letting them know they appear to have attempted to intimidate him into keeping quiet about it. Vickery states that the CEO, Steve Woda, tried to prevent him from ever disclosing the vulnerability over the phone. In emails he was a bit more polite, even though he was still asking for the information to be kept private.
When Vickery did disclose the issue uKnowKids and Woda were quick to call him a hacker and claim he “breached” their system. You can guarantee that they are preparing to lawyer up and are going to go after Vickery at this stage. In their public statement they call Vickery a “Hacker” and state that he “claims to be a "white-hat" hacker”.
They go on to attempt to vilify Vickery with statements like “Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night. We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated "benign" intentions.” Once again the purpose behind this statement is an obvious one; to discredit Vickery and his work. uKnowKids. Woda and uKnowKids left a system open and then tried to bully the research that found the massive hole using a publicly available system (Shodan) and instead of standing up and fixing the issue they are looking to make Vickery into a bad guy to save face.
What is very interesting is that they are claiming to be presenting facts, but are instead relasing unconfirmed information by their own statement. "We believe this IP address is associated with Mr. Christopher Vickery in Austin, Texas, but we don't have confirmation of that fact yet." This would be in opposition to any legal advice on a real breach. The mantra is; only state what is true at the time and will never change. I highly doubt that they did this on the advice of counsel. They are also soliciting legal advice and trying to get “legal authorities” to contact them about this incident. “If you are an interested legal authority, please contact us at
That is also very odd as it goes against most advice in a real breach. They would have no way to properly vet someone from a real law enforcement group. No, this really looks like a personal attack by uKnowKids (possible from Woda) on Vickery. Perhaps he did not like the fact that Vickery was not intimidated by his threats and wants to make him look like a bad guy.
To Mr. Steve Woda we have this to say; if Vickery were a real “hacker” you would never have known about it. Your data would be gone and sold off to someone that wanted it by now. They also would have continued to mine that open database for more information while you sat by and did nothing. Instead Vickery came to you and let you know about it so you could fix the issue. You have repaid him with an attack on him personally; all to save your own reputation. You are part of what is wrong with security today.