A company that produces software used for spying has left terabytes worth of data exposed online. The California-based spyware company, called Spyfone, produces software that is used to intercept text messages, calls, emails, and track location. The leaked data was left lying in a poorly protected Amazon S3 bucket which belongs to the company.
The data exposed belongs to both the users of the software as well as their targets and included hashed passwords and logins, web histories, selfies, and audio recordings, among others. The breach was uncovered by an anonymous security researcher, but the finding was confirmed by online tech news publication Motherboard.
Motherboard created a trial account, installed the spyware, and took some pictures. The researcher was able to send one of the pictures back to Motherboard hours later.
The researcher also communicated to Motherboard the size and types of exposed files, which included several terabytes of unencrypted camera photos, 44109 unique email addresses. Quoting Motherboard, he said that “there is currently 3,666 tracked phones,” in addition to “at least 2,208 current ‘customers’ and hundreds or thousands of photos and audio in each folder.”
Motherboard also conducted its own investigation and found that one of Spyfone’s APIs to be unprotected. Allowing “anyone who guesses the URL to read what appears to be an up-to-date and constantly updating list of customers. The site shows first and last names, email and IP addresses. As of Thursday, there were more than 11,000 unique email addresses in the database.”
In response, a Spyfone representative said that the company is investigating the leak commended the researcher for his good intentions.