An app designed to track employee productivity by logging keystrokes and taking screenshots has suffered a significant privacy breach as more than 21 million images of employee activity were left in an unsecured Amazon S3 bucket.
Researchers at Cybernews first uncovered the leak at WorkComposer, a workplace surveillance tool intended to keep an eye on employees by watching their digital presence. Though the company did secure access after being contacted by the news outlet, the data was exposed in real-time to anyone with any internet connection leaving the sensitive work data of thousands of employees and companies exposed online.
WorkComposer is an app used by over 200,000 people across multiple companies and is intended to help those companies monitor employee productivity by capturing keystrokes, tracking how long employees spend on each app and snapping desktop screenshots every few minutes.
Having millions of those screenshots exposed to the open web leaves a wealth of sensitive information exposed: full screen captures of emails, internal chats, confidential business documents as well as login pages, API keys and of course, usernames and passwords. All of this could be used not only to attack businesses themselves but to commit identity theft, hijack employee accounts or commit further breaches.
Additionally, the companies that have been using WorkComposer could now be subject to E.U. GDPR (General Data Protection Regulation) or U.S. CCPA (California Consumer Privacy Act) violations along with other legal actions as well.
Since workers have no control over what tracking tools may capture in their workday, be it private chats, confidential projects or even medical info, there’s already an iffy ethical territory around tracking tools and a serious privacy violation if the screenshots are leaked.
This breach isn’t the first either as Cybernews points out they found a previous leak from WebWork, a similar workplace tracking tool that experienced a breach of 13 million screenshots.
More from Tom's Guide
- Samsung phone security flaw leaves passwords exposed — protect yourself now
- FBI issues warning over scammers impersonating agents to steal your money
- Hackers are impersonating banks to infect your Android phone with credit card-stealing malware
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
