Employee monitoring app leaks 21 million screenshots in real time

https://cybernews.com/security/employee-monitoring-app-leaks-millions-screenshots/

Did your employer install a workplace surveillance tool on your work computer? Chances are, both you and your company should be worried about a data breach.

Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies.

The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame.

The leaked data is extremely sensitive, as millions of screenshots from employees’ devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide.

Cybernews contacted the company, and access has now been secured. An official comment has yet to be received.

WorkComposer is just one of many workplace surveillance tool out there. They are incredibly invasive because they take screenshots of your screen every few minutes…much like Microsoft Recall.

Not only can these screenshots contain confidential work-related information like passwords and API keys, they can also collect personal information about you.

A single exposed screenshot showing a visible password, API key, or sensitive conversation can lead to credential theft, phishing attacks, or even corporate espionage.

The leak’s real-time nature only amplifies the danger, as threat actors could monitor unfolding business operations as they happen, giving them access to otherwise locked-down environments.

Beyond immediate cybersecurity risks, there’s also a deep privacy violation at play. Time-tracking tools already sit in murky ethical territory, capturing minute-by-minute snapshots of a worker’s digital behavior under the banner of productivity.

Workers have no control over what ends up in those screenshots – be it a personal email, a medical appointment, or a confidential project. With millions of images floating publicly, it’s not just corporate data that’s vulnerable – it’s people.

Obviously, some level of logging is required in the workplace. For folks working in IT, what do you think of about these tools? What are some better solutions out there for companies to use that balance employee privacy and accountability.

The difference is Recall doesn’t send them anywhere and keeps them encrypted locally so even other users on your machine can’t see them. World of difference.

Really insane how bad the surveillance tech in the workplace has gotten and it’s clearly coming back to bite them.

Even with that limitation, it still gets more (rightful) backlash.

I don’t know why so much effort is wasted on keeping employees accountable at the cost of basic security and privacy practices. Especially when purchasing third-party services like these…

Doesn’t it backup to OneDrive automatically like other Windows stuff?

According to Microsoft:

We built privacy and security into Recall’s design from the ground up. With Copilot+ PCs, you get powerful AI that runs locally on your device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots and associated data are stored locally on the device. Recall does not share snapshots or associated data with Microsoft or third parties, nor is it shared between different Windows users on the same device. Windows will ask for your permission before saving snapshots. You are always in control, and you can delete snapshots, pause or turn them off at any time. Any future options for the user to share data will require fully informed explicit action by the user.

So it looks like it doesn’t. Also it’s encrypted and protected by the TPM.