AWS Bucket Leaks Again: Spyware Firm the Ironic Victim

(Image credit: Spyfone)

Spyfone, a company that sells consumer spyware software to parents and employers, leaked “terrabyes” of personal data via its Amazon Web Services (AWS) S3 storage bucket, according to a Motherboard report.

Spyfone’s Spying Data Leaked

An anonymous security researcher reported to Motherboard that he found terrabytes of data, including selfies, text messages, audio recordings, contacts, location, hashed passwords and logins and Facebook messages, all of which were exposed on Spyfone’s public AWS S3 bucket. Spyfone had gathered this data on behalf of its customers, who installed its application on their children or employees’ smartphones in order to track exactly what they were doing.

Motherboard was able to verify that what the researcher was saying was true by creating a trial account with Spyfone, installing the application on a phone and then taking some pictures. Hours later, the researcher sent back one of the pictures to Motherboard, confirming that he had access to Spyfone's data.

Virtually No Server Protection

The researcher noted that the S3 bucket currently contains the data from 3,666 tracked phones from 2,208 customers. Beyond the hundreds of thousands of photos and audio recordings associated with those phones, the researcher also found 44,109 unique email addresses.

Furthermore, the researcher learned that Spyfone didn’t even require a password for access to its own backend servers. This is how the researcher was also able to create his own admin account on the company’s servers.

Spyfone’s APIs were left unprotected as well, which could have allowed anyone that guessed or intercepted the URL addresses to see exactly who were Spyfone’s customers.

In a statement to Motherboard, Steve McBroom, a Spyfone representative, said:

“We have partnered with leading data security firms to assist in our investigation and continue to coordinate with law enforcement authorities about this situation. Every day our team takes great strides to enhance our site’s security, and we certainly anticipate that this recent data breach is the last. Communications about the breach and the investigation have gone out to our customers.”

One common trait of previous data leaks or breaches against consumer spyware companies from recent years has been that despite being able to develop technology to track and intercept other people’s communications, they do a poor job of protecting their own services against similar interception or hacks.

The Spyfone news marks another case in an AWS bucket leading to vulnerability. Previous cases, including those caused by misconfiguration by the customer (as opposed to on AWS' side), occurred at Accenture, Tesla, GoDaddy, the U.S. Pentagon and robocaller Robocent.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • johnnycanadian
    I (don't really) hate to be that guy, but there's no such thing as a "terrabyte". "Terabyte, yes".

    Also, who is McBroom? He's not introduced prior to his quoted statement.
  • johnnycanadian
    Tee hee. Here I am criticizing your editing and I don't seem to know where quotation marks should start and end. Oops.
  • Brian_R170
    I wanted to ask the same question. Who is McBroom? From the context, I guess some spokesperson from Spyfone.
  • ajr1775
    You're in the business of securing highly sensitive customer data and you don't password your "backend servers". People should be fired....or shutdown, sounds like it's a company ran by a very small group. Either a worker violated policy by not passwording the servers or this company is so small it has no policy in place.