This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.
Videos by VICE
The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” the hacker told me in an online chat.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv
The company left exposed 3,836 containers on Rackspace with 281 gigabytes of pictures and videos, the hacker said. The hacker shared screenshots showing he had access to the folders. Motherboard was also able to verify the breach after the hacker shared a sample of users. We verified that those were active users by attempting to register to the service using those email addresses. With all the six emails, the site said the addresses were already in use.
A representative of Family Orbit confirmed to Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.
Read More: Don’t Use Software To Spy On Your Spouse
“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the representative said via email.
This is yet another breach in a seemingly endless series of hacks and leaks in the consumer spyware industry. In the last 18 months, hackers have breached eight companies that sell malware designed to keep tabs on children or employees: FlexiSpy, Retina-X, TheTruthSpy, Mobistealth, Spy Master Pro, Spyfone and SpyHuman. Several hackers have targeted the industry with the goal of exposing what they think is an unethical line of business that employs shoddy security practices.
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet .