[German]It's the absolute worst-case scenario for data protection and a nightmare for companies. The misconfiguration of software exposes millions of screenshots containing extremely confidential data. Happened with the employee monitoring software WorkComposer due to a misconfiguration.
Advertising
What is WorkComposer?
WorkComposer is a software for time recording and subsequent personnel analysis. The US vendor advertises its software for analyzing employee productivity, which offers AI-supported time tracking and productivity analysis.
The US verdor advertises with more than 200,000 users and promises "bullet-proof security". The software is comparable to other products such as HubStaff, Teramind, ActivTrak, etc.
When bullet proof security goes wrong
In this comment, a German blog reader pointed out a data protection and security disaster in connection with this provider. On reddit.com last weekend, someone compiled the details in the post WorkComposer Breached – 21 million screenshots leaked, containing sensitive corporate data/logins/API keys – due to unsecured S3 bucket.
A US company based in Delaware provides WorkComposer, a tool for monitoring employee productivity that can be installed on any PC. The tool monitors which applications employees use and for how long, which websites they visit, how actively they type, etc.
Advertising
The software also takes screenshots every 20 seconds for management review. A function that reminds me of Microsoft's Recall for Windows. These screenshots are of course stored in the cloud.
The vendor of WorkComputer has now made a mistake in that an Amazon S3 bucket, on which the screenshots and data are stored, was openly accessible on the Internet and unprotected. According to the report, 21 million unedited screenshots were available on the AWS S3 bucket openly and unprotected for anyone to view on the Internet.
The poster writes that the extent of the data leak is difficult to estimate. However, the company claims to have more than 200,000 users as its customer base. The 21 million screenshots are likely to come from over 200,000 individual users/employees from possibly several thousand companies.
The poster says that all companies that have been using WorkComposer are now "getting a major headache". Then, with screenshots taken every 20 seconds, anything confidential that the user has done on the computer in the last 180 days must be considered compromised. The management should make lists of all tasks that employees have completed during this period.
As it is unlikely that WorkComposer has sufficient logging to determine whether someone else has accessed the S3 bucket, users should assume the worst. All data (including customer data) could potentially be viewed by unauthorized third parties. All work done on the monitored systems, as well as company secrets held there, should potentially be considered compromised. The investigation of the incident required a mass reset of passwords in the individual systems that were accessed during the monitoring period.
The security researchers at CyberNews have disclosed the facts in the blog post Employee monitoring app leaks 21 million screenshots in real time. They assume that the data made public in the S3 bucket is extremely sensitive. The millions of screenshots from employee devices could not only reveal full-screen images of emails, internal chats and confidential business documents. Login pages, credentials, API keys and other sensitive information are also likely to be included in the software's recordings. This information could be used for global attacks on companies.
Cybernews has contacted the company and access has now been secured. An official statement from the company is still pending. The open AWS S3 bucket was discovered on February 20, 2025 and reported to the vendor the following day. CERT was contacted on March 19, 2025 and the data incident was closed on April 1, 2025..
Similar case with WebWork in January 2025
Incidentally, this is not a "first case" – I have not reported on it here on the blog: But in January 2025, CyberNews informed me that they had found an unprotected WebWork Tracker application open on the Internet. Here, too, it was an Amazon Web Service (AWS) S3 bucket that was unsecured and accessible via the Internet.
The WebWork application exposed over 13 million logs and screenshots, which in some cases could contain sensitive or private information that should not be publicly available. Clients using the company's service include San Francisco-based remote hiring giant Deel, as well as companies in Austria, the Netherlands, India and the US. According to the WebWork Tracker website, the platform has over 140,000 users and serves over 15,000 companies worldwide.
Advertising
