The leaked data includes extensive personal details of the customers. The matter surfaced online after an anonymous security researcher discovered this data last week on an Amazon S3 bucket. As stated by Motherboard,
“The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, among others.”In addition, as disclosed by the researcher who preferred to remain anonymous, the leaked data also includes terabytes of unencrypted photos.
“There is at least 2,208 current customers and hundreds or thousands of photos and audio in each folder. There is currently 3,666 tracked phones.”The researcher also communicated with Troy Hunt of HaveIBeenPwned.com. Based on the provided information, he then indexed around 44,109 breached SpyFone accounts in the database.
Moreover, SpyFone also allowed anyone to view an updated list of customers through an unprotected API merely by guessing the URLs.
“The site shows first and last names, email and IP addresses. As of Thursday, there were more than 11,000 unique email addresses in the database, according to a Motherboard analysis.”Steve McBroom, a representative of the firm expressed his relief to Motherboard about the timely discovery by the researcher.
“Thank god it is a researcher, someone good trying to protect.”He also said that the firm is working hard on improvising their site’s security. Moreover, they have also informed the 2,200 affected customers about the breach.