Breach of Clearview AI Server Exposed Source Code, Secret Keys and More

A massive data breach of the Clearview AI server exposed source code, secret keys and pre-released developer versions of its apps. Clearview is a U.S. facial recognition firm serving U.S. law enforcement agencies and other organizations, The breach was reported in February. Clearview said at the time that although data had been accessed by unauthorized persons, its servers remained secure and its systems and network were not compromised. But now a compromised server has been found and it exposed massive amounts of information.

SpiderSilk, a Dubai-based cybersecurity firm, found a misconfigured server belonging to Clearview AI “exposed Clearview’s internal files, secret keys and credentials, apps, source code and employee messages.”

Bitglass’s Anurag Kahol

“Clearview AI’s latest security incident follows shortly after a data breach that compromised the company’s client list. This time around, a misconfigured setting in Clearview’s password-protected server allowed attackers to bypass authentication methods and gain access to the company’s most sensitive internal files such as its source code, employees’ private messages and cloud storage buckets that hold copies of finished and pre-released developer versions of its app,” said Anurag Kahol, CTO at Bitglass.

The company has come under fire over privacy concerns. It collects images from social media public profiles, usually without users’ or social media companies’ consent.  Initially the company said it served only U.S. law enforcement, but several reports have come out since then naming private companies on the company’s client list.

DivvyCloud’s Chris DeRamus

“Clearview AI has gained a lot of attention not only from critics who are concerned about the privacy implications of its facial recognition technology, but also from hackers. Regardless of your personal feelings about the company, Clearview’s second security lapse in just two months demonstrates how common misconfigurations are when companies lack proper cloud security strategies, and how easily threat actors can exploit these vulnerabilities,” said Chris DeRamus, CTO of DivvyCloud.

DivvyCloud’s latest report found that the number of records exposed by misconfigurations rose by 80% from 2018 to 2019. Further, the researchers reported that more than 33 billion records were exposed this way over the last two years.

“Bad actors could steal the exposed information for a competing company or leverage the secret keys and credentials to gain access to even more private information — as people commonly reuse their passwords across multiple accounts,” said Kahol.

But this Clearview AI incident comes with a wicked twist.

“Usually, when we talk about breaches and cloud misconfigurations, it’s customer or employee data that is at risk, but this is an example of a security incident that is putting a company’s intellectual property at risk,” said Kahol.

But with every breach comes lessons learned for security partners. Savvy MSSPs take note and adjust their services to better protect their clients.

“This particular misconfiguration incident highlights the need for enterprises to adopt least-privileged access across cloud environments, including a robust approach to identity and access management (IAM). In these environments, everything has an identity — users, applications, services, and systems,” said DeRamus.

“Organizations must implement multifactor authentication (MFA) for all users, securely manage service accounts and their corresponding keys, enforce least-privileged access, and enforce best practices for the use of audit logs and cloud logging roles,” DeRamus added.