There is a database maintained by a spyware company left open for anyone with the URL to access. The database is active for the last six to eight weeks since its discovery, amidst the persistent effort of tech experts and reporters to contact and warn the company that the supposed sensitive and identifiable data was leaked online.
The company who owns the database sells consumer-grade software that lets its users spy on other people’s calls, messages, and anything they do on their cellphones. For some weird reasons, they left a database containing more than 95,000 images and more than 25,000 phone call recordings accessible to anyone who has an internet connection.
The exposed data is segregated in two separate folders, including intimate photos and disturbing phone call recordings. The company who runs the database markets itself as an application that enable parents to spy on their children’s cellphones.
According to Troy Hunt, a researcher who maintains a database that contains all the data breaches he discovered, following his analysis on the said database, revealed that there are more than 16 gigabytes of images and around 3.7 gigabytes of MP3 recordings in it.
As of the moment, it is still unclear how many unique data was included in the breached database as there are entries like pictures and recordings that have been uploaded multiple times.
The company has been attempted to be contacted by journalists and different tech experts to warn them and have them secure the database, but all their efforts were to no avail.
Lorenzo Franceschi-Bicchierai, a tech reporter from Vice’s Motherboard, one of the first to report the breach discovered by Cian Heasley, a security researcher who unearthed the database, attempted to contact the company for several times but received little to no response from them. Bicchierai said in an article that he had spent weeks trying to “ethically disclose this vulnerability to the company and to get the private images secured.”
They reached out to the company email and to the Gmail address of the site’s administrator, who appears to be the company’s founder and left voicemail to a Google Voice number listed on the site’s WHOIS details, but all of their efforts were left unsuccessful.
In a continuous attempt to get the database secured, the team also contacted GoDaddy, the domain registrar for the company’s main site and the leaked database but received a comment that there’s not much that the domain company can do about it.
The team, however, could not contact the victims of the said leaks. That is because the exposed server does not include any contact details such as email and phone numbers of the users of the app. Nonetheless, the data still are sensitive as they include nude and intimate images of people that can be used for “sextortion” and “blackmail.”
Until now, the company remains unnamed because naming the company would make it easier for anybody to locate the database as it is fairly has a straightforward URL that exists in its main site, where people can readily access the data. If that happens, the data of hundreds, maybe thousands of users will be compromised exposing their intimate and identifiable pictures, videos, text messages, and phone recordings for anyone with ill intent to use.
As of today, weeks after the discovery of the database and the countless attempt of experts to alert the company, the data including the pictures and audio recordings, are still out there, available for all to see and listen. According to Heasley, the URL of the database was exposed in the source code of the app as is also relatively easy to guess.
“This is the level of security these guys work with,” Heasley, who studies computer security and forensics at Napier University in Edinburgh Scotland, said in an online interview. “It’d be funnier if it wasn’t stalking victim’s data.”
According to Eva Galperin, who has researched stalkerware and is the director of cybersecurity at Electronic Frontier Foundation, “People should not be using these tools in the first place… But the fact that these companies aren’t very good at securing their own data is just the cherry on the bad idea sundae.”
The exposure of the database from this company is the latest of the alarming amount of data being leaked by spyware companies in recent years. In the last two years, there have been 12 stalkerware companies that have either been breached or left data exposed online.