- An Amazon S3 bucket is leaking sensitive screenshots of remote workers
- The bucket is owned by WebWork Tracker
- The leak is putting company data and credentials at risk
A storage bucket associated with the WebWork Tracker application has been leaking sensitive info and company data online, with upwards of 13 million screenshots reportedly breached.
The WebWork Tracker software is used by organizations to monitor remote workers by taking regular screenshots of the workers screen to show the employer what they have been working on.
However, the Amazon S3 bucket that the screenshots were stored on was misconfigured, lacking the end-to-end encryption that the Armenian-based company states it uses to safely store sensitive screenshots.
Company data, credentials, and API keys at risk
The bucket was discovered by the Cybernews research team on June 11, with the team reaching out to the WebWork Tracker team on multiple occasions since August 13 to alert the organization to the leaking bucket, but received no response.
As a result, Cybernews notified the Computer Emergency Response Team (CERT).
The remote worker tracking software is used by a number of businesses across the US, including remote-hiring company Deel, which is based in the US. Cybernews also found many other businesses across Austria, the Netherlands, and India that also used the software.
As a result of the leaking files, it is possible that the company has violated EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). GDPR fines can be €20 million or 4% of global revenue, whichever is greater, with CCPA fines reaching $2,500 per non-intentional violation.
Redacted screenshots from the database shared by Cybernews show spreadsheets containing credentials and sensitive customer information, making the leaking database a prime target for threat actors looking to use supply-chain attacks to compromise organizations.
You might also like
- These are the best password managers around today
- Take a look at the best business VPN
- European Commission hit by EU court fine after breaking own data privacy rules