This story is part ofWhen Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
A company that sells consumer-grade software that lets customers spy on other people’s calls, messages, and anything they do on their cell phones left more than 95,000 images and more than 25,000 audio recordings on a database exposed and publicly accessible to anyone on the internet. The exposed server contains two folders with everything from intimate pictures to recordings of phone calls, given that the app markets itself mostly to parents.
Troy Hunt, a researcher who maintains the breach database Have I Been Pwned? , analyzed the database and said that there were around 16 gigabytes of images and around 3.7 gigabytes of MP3 recordings in it. Motherboard confirmed his analysis. (It’s hard to say how many unique pictures and recordings there are, however. Some pictures appear to have been uploaded multiple times.)
This breach is just the latest in a seemingly endless series of exposures or leaks of incredibly sensitive data collected by companies that promise to provide services for parents to keep children safe, monitor employees, or spy on spouses. In the last two years, there have been 12 stalkerware companies that have either been breached or left data exposed online: Retina-X (twice ), FlexiSpy , Mobistealth , Spy Master Pro , SpyHuman , Spyfone , TheTruthSpy , Family Orbit , mSpy, Copy9 , and Xnore .
Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The database, owned by the "email validation" firm Verifications.io, was taken offline the same day Diachenko reported it to the company.
We can’t tell you the name of the company that’s the latest—but certainly not the last—to join that list. That’s because despite our repeated efforts to alert the company to the leak, it has yet to fix the problem or acknowledge our request for comment. Because the leaked data violates the privacy of hundreds if not thousands of people, and because that data is still very easy for anyone to find and access, even naming the company publicly could lead bad actors to it.
The exposed database was found by security researcher Cian Heasley, who contacted us when he found it earlier this year. The database is still online, and has been online for at least six weeks. Pictures and audio recordings are still being uploaded to it nearly every day. We won’t name the company to protect the victims who may be getting spied on without their consent or knowledge, and—on top of that—are having their pictures and calls uploaded to a server open to anyone with an internet connection.
We have spent weeks trying to ethically disclose this vulnerability to the company and to get the private images secured. We reached out to the company’s official contact email, displayed on its site. No answer. We reached out to the Gmail address of the site’s administrator, who also appears to be the company’s founder. No answer. We left a voicemail to a Google Voice number listed on the site’s WHOIS details. No answer.
We reached out to GoDaddy, the domain registrar for the company’s main site, as well as the leaky database, which is on the same domain. Company employees told us there’s not much they can do.
The US Federal Trade Commission did not respond to a request for comment.
The company that’s hosting the actual content, a hosting provider called Codero, did not respond to multiple requests for help via email.
Read More:Don’t Use Software To Spy On Your Spouse
So, as of today, weeks after Heasley found the database and Motherboard tried to warn the company, the pictures and audio recordings are still out there, for all to see and listen to.
Motherboard was unable to reach any victims or customers because the exposed server does not contain any contact information, such as email addresses or telephone numbers of victims or users. The data uploaded, in any case, is still highly sensitive, possibly identifying, and in some cases consists of nude and otherwise intimate images.
The spyware app that's leaking this data allows its customers to monitor pretty much everything on the cellphone where it’s installed. The spyware lets its operator read the target’s phone contacts, text messages, listen to calls, record ambient sound by turning on the microphone, and much more.
Heasley, who is analyzing the security of several stalkerware apps, said that the URL of the database was exposed in the source code of the app. The URL is also relatively easy to guess.
“This is the level of security these guys work with,” Heasley, who studies computer security and forensics at Napier University in Edinburgh, Scotland, told Motherboard in an online chat. “It'd be funnier if it wasn't stalking victim's data.”
“People should not be using these tools in the first place,” Eva Galperin, who has researched stalkerware and is the director of cybersecurity at the Electronic Frontier Foundation, told Motherboard. “But the fact that these companies aren’t very good at securing their own data is just the cherry on the bad idea sundae.”
Additional reporting by Joseph Cox.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.