Unnamed stalkerware company has left gigabytes of sensitive personal info unprotected on the web and can't be reached to fix it

Originally published at: https://boingboing.net/2019/03/22/jfc-srsly-jfc.html


We reached out to the company’s official contact email, displayed on its site. No answer. We reached out to the Gmail address of the site’s administrator, who also appears to be the company’s founder. No answer. We left a voicemail to a Google Voice number listed on the site’s WHOIS details. No answer.

Yep, my average work day.


Contact the company or contact the FBI? Hmmm…


I’ve been postulating lately about the hypothetical “Criminal App Store” as tech people become more and more disillusioned with the contemporary state of things … there has to be databases for criminals, vigilantes, and the likewise that feel law is not useful for them any longer.

Like UberEats for Jimmy McGill trying to get someone to do that Hummel figurine job.


To the extent FBI don’t already have all that sensitive data, do you really want them to?


just name the damned company and put everyone out of their misery. This crap about "responsible disclosure has gone far enough. Things will never get better if everyone agrees to hide this type of behaviour to ‘protect’ people.Name them. Make it all public and let the criminal charges/lawsuits fly where they will. There is zero good incentive to stop this crap if everyone, including those claiming to be trying to stop willfully follow omerta and cover up/hide the evidence from everyone.

1 Like

Sure, but if you name it there will be a thousand assholes/4chan members digging up the photos and tossing them into a hot-or-not app; victims be damned.

I’d rather the FBI knows than EVERY creep on the internet.


That particular data the FBI are not likely to be interested in. But the collection was almost certainly illegal…

1 Like

If someone was doing this on a server hosted by someone else… would that server provider be legally able to help? I realize that wouldn’t even be a thing if they have their own server or are hosted by some server in a foreign country to is just as shady as they are.


They aren’t trying to protect the owners of the website, they are trying to protect the individuals who’s information was stolen and is there open to easy access by others but possibly unknown generally. Like if someone stole the door off all the safe deposits at a bank (or more preceisely a vault full of stolen stuff) and no one is around or able to fix it. You don’t go yell to the public hey look that vault in unprotected and unguarded…


God I want to make a Facebook joke, but, really, what’s the point?

But if you don’t name it, new victims’ information will continue to be added indefinitely. And eventually everything will be exposed; it’s inevitable. Interesting variation on the trolley problem.


I know who they are putatively trying to protect, yet it has reached an absurd level now. You basically can’t even talk about this kind of incident without leaving enough clues for some to find the cache your not “exposing”.

Let the fur fly where it will. That is the only way things will change enough that this level of craptastic behaviour gets put on the endangered list. And yes, I would tell everyone about a bank doing that, it would help put a stop to banks evil mendacious ways.

The exposed server contains two folders with everything from intimate pictures to recordings of phone calls, given that the app markets itself mostly to parents.

So worried – or controlling – parents, presumably out to protect their kids, have made their kids vastly more vulnerable.


This is spyware–the customers aren’t the people whose data is exposed. It’s not going to be much of a deterrent.

On the other hand, the hosting company now knows they are hosting a whole bunch of illegally-obtained data. I wonder if the victims would have cause to sue…

1 Like

Perhaps the site’s administrator was just killed by a runaway trolley. Otherwise known as the Exponential Trolley Problem

I think the folks from Motherboard are savvy enough that they tried this route. The fact that it apparently hasn’t worked leads me to guess it a self hosted server (maybe even in their own office building). It could also be hosted on a bulletproof server but seeing how careless they are with their op-sec I don’t think they would be smart enough to choose something like that.

I was like “Yo, Security Researcher ™, could you please inform the fucking hosting service to shoot the site down?”

I clicked through and saw they wrote mail to the hoster, Codero.

Then I looked at twitter.

Last tweet from last week.

Looked at their webpage, they have a chat:


And what’s that old school thing on their website? Phone numbers?

They even have a Team page:

I stopped there, but I predict some of them even use twitter. So, if I would be a security researcher, I’d try that route, too.

If that wouldn’t lead to a response…
Well now, I’m not saying the hosting provider is malevolent, but they surely have an interest in keeping their servers… save? They would answer, would they?

So, ETA:

Wow, Motherboard and Cian, amplified by many a news site including BB, have managed to non-disclose disclose the DB.

I seriously hope the victims are not harmed in any way. See above - someone already mentioned the trolls.

We need bigger fish for this…

This topic was automatically closed after 5 days. New replies are no longer allowed.