[BreachExchange] Parental control spyware app Family Orbit hacked, pictures of hundreds of monitored children were exposed

[Destry Winant]

https://securityaffairs.co/wordpress/75888/data-breach/family-orbit-hacked.html

The company that sells the parental control spyware app Family Orbit
has been hacked, the pictures of hundreds of monitored children were
left online only protected by a password.

According to Motherboard that first reported the news, the Family
Orbit spyware left exposed nearly 281 GB of data online. The hacker
discovered the huge trove of data that was stored on an unsecured
server and reported the discovery to Motherboard. The hacker found the
key on the cloud servers of the spyware app.

“A company that sells spyware to parents left the pictures of hundreds
of monitored children online, only protected by a password that almost
anyone could find, according to a hacker.” statesMotherboard.

“The hacker, who’s mainly known for having hacked spyware maker
Retina-X, wiping its servers (twice), said he was able to find the key
to the cloud servers of Family Orbit, a company that that markets
itself as “the best parental control app to protect your kids.” The
servers contained the photos intercepted by the spyware, according to
the hacker. The company confirmed the breach to Motherboard.”

Experts found a Rackspace with about 3,836 containers that also
included video footages.

“I had all photos uploaded from the phones of kids being monitored,
and also some screenshots of the developer’s desktops which exposed
passwords and other secrets,” stated the unidentified hacker.

Motherboard also verified the data breach and stated that the data
belonged to active users who used those email addresses to register to
the service. Motherboard assessed 6 of the email addresses and
concluded that the addresses were active.

The hacker who discovered the unprotected server is the same who
hacked the server of another spyware, Retina-X, two times.

The company confirmed the data breach to Motherboard, its
representative told Motherboard that the API key is stored encrypted
in the app, and that the company observed “unusual bandwidth” used in
their cloud storage.

“We have immediately changed our API key and login credentials. The
sales and the services have been taken offline until we ensure all
vulnerabilities are fixed,” the representative said via email.

The incident is not isolated, companies that sell spyware are a
privileged target of hackers that protest against the abuse of
technology for surveillance purposes.

In the last 18 months, other eight companies that sell spyware have
been hacked, they are FlexiSpy, Retina-X, TheTruthSpy, Mobistealth,
Spy Master Pro, Spyfone and SpyHuman.