Family Orbit, a consumer spyware firm that offers a parental control app, reportedly exposed 281GB worth of sensitive data online. The data was stored on an unsecured cloud server and primarily contained the photos of children monitored by the spyware firm.
This vulnerable server was discovered by a hacker who claimed that he was able to find Family Orbit’s cloud servers’ key, which in turn allowed him to steal all the sensitive data stored in the servers.
“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer's desktops which exposed passwords and other secrets,” the hacker told Motherboard.
The hacker posted some screenshots of the stolen data to prove that he has gained access to Family Orbit’s servers. The hacker claimed that the data was protected by a weak password. He also appeared to have found and manipulated the spyware firm’s app’s API key.
Meanwhile, a representative of Family Orbit confirmed the data breach. He told to Motherboard that the company’s API key is stored in the app and that they had observed unusual bandwidth use in their cloud storage servers.
The hacker said that the Family Orbit left 3,836 databases exposed online. This had about 281GB of data including video footage. Motherboard claimed to have verified the breach and stated that the data belonged to the users who are registered to the service. It assessed 6 email addresses before coming to the conclusion.
Soon after the discovery of the issue, the company was quick to fix the flaw. Family Orbit immediately changed the API key and login credentials.
“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the spyware firm’s representative said, Motherboard reported.