Data leak: highly sensitive photos, video and audio leaked from a 'private social network'

The CyberNews investigation team recently discovered an unsecured database containing more than 130,000 extremely sensitive, very explicit private photos, videos, and audio recordings. The database appears to belong to a “private social network” that’s most likely based in China. 

The sexting – or sex texting/messaging – industry has certainly boomed in 2020 in response to forced isolation in many regions. As Covid-19 has locked down entire populations, individuals are increasingly looking online for digital intimacy when physical intimacy is forbidden or risky. Since people generally want to feel safe when sending these kinds of explicit communications, it can be seen as a betrayal that a platform would be so loose in its security.

The leaked database contains 132,214 files made up of:

• 83,016 images 
• 4,932 videos
• 43,369 audio
• 899 gifs

While we normally include multiple examples of the exposed files that are included in the unsecured database, the explicit nature of the majority of the photographs makes that unwise. However, there are some relatively tame images that we can include:

Suffice it to say: most of the images and videos are not of people’s faces.

Fortunately, Amazon was able to close off the unsecured bucket on November 6, two days after we first contacted them. We were unable to get in contact with the bucket’s owner or creator.

Who owns the bucket?

It is impossible to state with 100% confidence who owns the bucket. There are only media files contained within the bucket, and no usernames, emails or other files that could identify the likely platform or website it came from.

However, the name of the bucket points toward LimitChat, which seems to be one of the products or social platforms related to FaceChance. In this privacy policy, the FaceChance creators list LimitChat as one of their products.

On the related site FaceLimit, a user named ‘beijing’ lists themself as the creator of not only FaceChance, but also a slew of other sites:

Some of the images in the bucket that we viewed were also screenshots of text messages in Chinese.

For these reasons, we believe that the “private social network” leaking these explicit files is based in China or a Chinese-speaking region.

What does this mean for LimitChat users?

Given that this bucket belongs to LimitChat, which we believe is a product of FaceChance, then LimitChat users have just had their most sensitive, explicit moments leaked online for anyone who knows where to look. We’ve said it before: accessing an unsecured Amazon S3 bucket is remarkably easy – you just need a direct link and that’s it. 

Now, there are no real identifying details in the unsecured bucket – no names, usernames, emails or any identifying documentation. And, beyond that, many of the pictures and videos were not of users’ faces.

However, these kinds of pictures, videos and audio messages are the types that are normally used for blackmailing or cyberbullying. Any user of LimitChat would not want these details leaked to their family or friends, or anywhere online really. For that reason, they might be willing to adhere to an attacker’s demands.

Beyond that, however, the focus here should be placed squarely on the developers’ shoulders. This person or group somehow got the trust of their users, but did not ensure that their very sensitive data would be properly secured.

This can cause emotional or reputational damage to those users, and the fault lies with the platform– not the people uploading these files to the platform.

How do I know that my social platform isn’t leaking my sensitive data?

LimitChat isn’t unique in having unsecured data – in fact, CyberNews has published multiple instances in which databases are leaking sensitive data of various types, most likely because of simply overlooking basic security principles. 

Because it can be so easy to overlook these principles, it’s possible that, even if you aren’t a LimitChat user, your own social platform of choice could be leaking your private information.

For example, if we look at TikTok, there are some major accusations that the Chinese-based platform is spying on you for China – besides simply collecting as much of your personal data as possible. Facebook has also been accused of the same thing – including leaking the personal data of 419 million of its users.

With smaller, much lesser known social media platforms like LimitChat, the risk of unsecured data is most likely larger, not smaller. Smaller platforms have smaller teams, and it is likely that their resources are spread thin between moderating the platform, improving the design, user-friendliness, and engagement, and gathering and securing the data.

In essence: just as with Tiktok, or Facebook, or any other big or small social media platform, you can never be really certain that your data isn’t being leaked. For that reason, it’s most likely a good idea to limit what kind of sensitive data you are sharing. For really sensitive communications, including sexting, we’d probably recommend a secure messaging service like Signal, which doesn’t store your messages or media files on its servers, rather than some small, private social media network. 

What to do next

We reached out to Amazon on November 4 to have the AWS bucket secured and closed off from public access, since we were unable to find contact information for LimitChat/FaceChance’s creator or creators. They were able to secure the bucket on November 6.

In general, however, if you have used LimitChat or are currently using it, we recommend you contact any admin for further information about the leak. Additionally, we recommend you delete your files, if possible, and move off the platform until it can be proven to be secured. Even then, if the leak is confirmed to be LimitChat’s, it may be better to close your account on that platform permanently.