Employee Monitoring Application Exposes Millions of Screenshots

As of late 2024, the public cloud is the technology of choice for organizations looking to build new applications and workflows. Accompanying this continuous migration to the cloud is the natural influx of data that are processed, stored, and transmitted by these applications. Furthering this problem is the fact that this already larger volume of data are being distributed over an ever-increasing number of storage repositories like Amazon S3 buckets, Azure Blobs, and Google Cloud Storage Containers.

In the past few months, Casmer Labs, Cloud Storage Security’s internal threat laboratory, has observed a number of high-profile (and not so high-profile) incidents wherein either by human error, lack of monitoring/observability, or other factors, publicly accessible object storage resources have resulted in catastrophic data breaches.

One of the most recent examples comes in the form of WorkComposer, and employee monitoring application, who inadvertently exposed over 21 million screenshots taken by the service. The source? A misconfigured and publicly accessible Amazon S3 bucket that was discovered by researchers on February 20, 2025. As of April 28, 2025, the leaked screenshots have been confirmed to include login credentials, API keys, private emails, and calendar appointments. Given the nature of these screenshots, this exposure generates the significant risk of compromised employee credentials as well as the added potential for malicious actors to use this information to assist in social engineering schemes like phishing campaigns.

As of the publishing of this article, the Amazon S3 bucket responsible for the breach has been appropriately secured. If your organization has used WorkComposer at any point, immediately change your passwords and enable multi-factor authentication for any accounts that could have been compromised or exposed. To prevent a similar incident from affecting your organization, take the following steps:

• Restrict Public Access & Secure Cloud Storage

• Configure strict access controls to ensure only authorized users or services can access sensitive data
• Regularly review and update permissions to minimize exposure

• Monitor & Audit Access Logs

• Continuously track access logs to detect unauthorized activity
• Conduct retrospective log analysis to identify any suspicious access patterns

• Encrypt Data at Rest & In Transit

• Enable server-side encryption to protect stored data
• Use AWS Key Management Service (KMS) or equivalent tools to securely manage encryption keys

• Automate Security Measures

• Deploy automated security checks to detect misconfigurations and vulnerabilities
• Use cloud security tools that provide real-time alerts and automated remediation

• Conduct Regular Security Audits

• Perform frequent security assessments to identify and address weak points
• Implement penetration testing to simulate potential attacks and strengthen defenses

• Train Employees on Cybersecurity Best Practices

• Educate teams on data security, phishing risks, and access control policies
• Establish clear protocols for handling and securing sensitive information

About Cloud Storage Security

Cloud Storage Security (CSS) offers customers the ability to deploy multi-cloud, multi-account, and multi-resource malware scanning to protect the entirety of their storage suite under one console. Customers choose CSS’ solution because it:

• Offers flexible scanning models – Scan existing data on a scheduled basis, as data is written to storage repositories, or even before it is written
• Offers multiple malware scanning engines – Using multiple enterprise-grade engines reduce false positives and false negative rates
• Is simple to deploy, configure, and live with – Initial deployment can be performed in under 15 minutes. In-console quarantine, the ability to set up scanning for all storage resources in a single click, and minimal maintenance can all be performed from the console

Cloud Storage Security (CSS) also provides customers with flat-rate pricing based on cloud spend or no. of employees, that allows customers to:

• Apply malware protection for their entire environment, including Amazon S3, Amazon EFS, Amazon EBS, Amazon FSx, Microsoft Azure Blob Storage, and Google Cloud Buckets
• Perform periodic rescanning to meet compliance requirements and detect dormant malware
  
  

If your organization is interested in learning more about securing its storage resources, get in contact with an SME at cloudstoragesecurity.com/contact or watch an in-depth demo at cloudstoragesecurity.com.

Organizations can also try out the solution for free for 30 days in AWS Marketplace.