Cyber Incident Victim: Family Orbit
Date:
Aug 2018
Location:
United States of America
Summary
A spyware company selling parental monitoring software exposed hundreds of children's photos and sensitive data due to inadequate security protections, including a publicly discoverable password safeguarding the online repository. The breach involved approximately 281 gigabytes of children's personal images, with the firm confirming unauthorized access occurred through an encrypted API key and acknowledging abnormal bandwidth consumption in its cloud storage. This incident reflects broader security vulnerabilities within the consumer spyware sector, which experienced multiple similar compromises targeting child and employee surveillance products over an 18-month period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2018, Family Orbit, a company providing parental monitoring software, experienced a data breach exposing approximately 281 gigabytes of children’s photos stored in its cloud environment. A hacker identified that the data repository was secured only by a weak, easily discoverable password, leaving the sensitive content accessible to unauthorized parties. The compromised data included images captured through Family Orbit’s spyware application, which parents used to monitor their children’s device activities. The hacker contacted Motherboard to disclose the vulnerability, noting the inadequate security measures protecting the trove of personal data. Family Orbit later confirmed the breach occurred due to an exposed API key, which the company stated was stored in an encrypted format within the application. The company detected anomalous activity through unusual bandwidth consumption patterns in their cloud storage infrastructure, though the exact duration of unauthorized access remains unspecified. This incident highlighted vulnerabilities in the storage and access controls of sensitive data collected by consumer surveillance tools.
Family Orbit acknowledged the breach to Motherboard but did not disclose the number of affected children or families. The company’s representative emphasized that the API key was encrypted within the app, though the breach demonstrated that this measure alone failed to prevent unauthorized data exposure. The incident occurred amid a broader trend of security failures in the consumer spyware sector, with eight similar companies breached within the preceding 18 months. These breaches consistently involved poorly secured customer data, including location information, communications, and media files. The exposure of children’s photos underscored the risks associated with mass data collection by monitoring applications, particularly when security practices lag behind industry standards. No specific containment measures or post-breach notifications were detailed in the available reports, leaving the full scope of consequences unverified.