The company that sells the parental control spyware app Family Orbit has been hacked, the pictures of hundreds of monitored children were left online only protected by a password.
According to Motherboard that first reported the news, the Family Orbit spyware left exposed nearly 281 GB of data online. The hacker discovered the huge trove of data that was stored on an unsecured server and reported the discovery to Motherboard. The hacker found the key on the cloud servers of the spyware app.
“A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.” states Motherboard.
“The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.”
Experts found a Rackspace with about 3,836 containers that also included video footages.
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” stated the unidentified hacker.
Motherboard also verified the data breach and stated that the data belonged to active users who used those email addresses to register to the service. Motherboard assessed 6 of the email addresses and concluded that the addresses were active.
The hacker who discovered the unprotected server is the same who hacked the server of another spyware, Retina-X, two times.
The company confirmed the data breach to Motherboard, its representative told Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.
“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the representative said via email.
The incident is not isolated, companies that sell spyware are a privileged target of hackers that protest against the abuse of technology for surveillance purposes.
In the last 18 months, other eight companies that sell spyware have been hacked, they are FlexiSpy, Retina-X, TheTruthSpy, Mobistealth, Spy Master Pro, Spyfone and SpyHuman.