WorkComposer employee monitoring app leak exposes 21 million screenshots online

Skye Jacobs

Posts: 2,011   +58
Staff
A hot potato: A serious breach of workplace privacy has come to light after a popular employee monitoring application inadvertently exposed more than 21 million screenshots of workers' computer activity to the public internet. The incident has raised urgent concerns about the security and ethics of digital surveillance in modern workplaces.

Over 200,000 employees across thousands of organizations use WorkComposer to track productivity by logging keystrokes, monitoring application usage, and capturing screenshots every few minutes. Researchers at Cybernews discovered a misconfigured Amazon S3 storage bucket that exposed these screenshots, effectively putting a frame-by-frame record of daily work routines on public display.

The exposed images revealed a vast trove of sensitive information. Many captures showed full-screen views of emails, internal chats, business documents, and login pages displaying usernames, passwords, API keys, and other credentials. Cybernews promptly notified WorkComposer, which then secured the exposed storage. As of publication, WorkComposer has not issued an official statement regarding the incident.

Cybercriminals could have easily exploited the exposed data for identity theft, phishing, or corporate espionage, potentially gaining unauthorized access to confidential company systems. Since the screenshots leaked in real time, malicious actors could have observed business operations as they unfolded.

The privacy implications extend beyond corporate risk. Employees had no control over what appeared in the captured images, which could have included personal messages, medical appointments, or other private matters. The ethical debate surrounding workplace surveillance tools remains contentious, as workers often have little say in what monitoring software records during their workday.

The scale and nature of the exposed information could trigger regulatory investigations and significant penalties, compounding the seriousness of the breach. Companies using WorkComposer may now face scrutiny under data protection laws such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act, which impose strict requirements for handling personal and sensitive data.

What makes this breach particularly troubling is how easily organizations can make similar mistakes. Misconfiguring Amazon S3 buckets – such as inadvertently allowing public access – is a widespread, persistent problem. Studies indicate that up to 31 percent of S3 buckets remain publicly accessible, exposing organizations to significant security risks. The WorkComposer incident isn't isolated. Similar breaches have occurred with other time-tracking and surveillance apps, highlighting a broader issue with the security practices of workplace monitoring tools.

Image credit: Cybernews

Permalink to story:

 
There have been S3 breaches in the past from Verizon, FedEx, Tesla, National Credit Federation, The Pentagon, Dow Jones, WWE, Accenture, Twitch, Capital One, and the list continues...

Man these application engineers really struggle with setting those S3 bucket permissions.
 
These mass surveillance tools should simply be banned.
Not only because constantly snooping on everyone is an extremely disgusting thing, but also because of the security implications. A breach like that exposes what everyone withing the organization is doing, and now this information can be easily analyzed with AI tools.
The potential damages if that happens far outweigh any 'benefits' from snooping on employees.
 
There have been S3 breaches in the past from Verizon, FedEx, Tesla, National Credit Federation, The Pentagon, Dow Jones, WWE, Accenture, Twitch, Capital One, and the list continues...

Man these application engineers really struggle with setting those S3 bucket permissions.
It’s crazy how normal misconfigured S3 buckets have become at this point. Companies spend fortunes spying on their employees but can’t be bothered to double-check if their cloud storage is locked down.

This is a good reminder that surveillance tech isn’t just an ethics problem, it’s a huge security liability too. Every system that collects massive amounts of data becomes a prime target... or worse, a ticking time bomb if poorly secured.
 
Did they not even test it? Like, come on, maybe just do a random spot check to see if it’s open to the public?

It is incredible how often this happens with S3 buckets though.
 
Back