Millions of users caught in “anonymous” video chat leak

Published: 19 May 2026
ftf live 2

Hundreds of thousands of users thought their random video chats vanished the moment they clicked “next.” However, a Cybernews data leak investigation has found that extensive personal data was exposed to anyone on the internet.

Cybernews researchers discovered an openly accessible Kibana dashboard tied to FTF Live, a random video chat platform. The service is accessible through a browser on ftf.live site and a mobile application.

Such services allow users to hop into conversations instantly without formal registration, by granting camera and microphone access, choosing a username, and selecting interests before being paired with strangers worldwide.

ADVERTISEMENT

While the platform creators promise anonymity, the misconfiguration exposed more than 22 million user records, including over 3 million entries directly tied to usernames or email addresses.

ftf live 1

The findings raise major privacy concerns. The very concept of private conversations between strangers suggests that such chats may involve explicit personal interactions.

The scope of the data leak remains unverified. While the leaked data suggests that millions of users could be affected, Semrush data shows the service recorded just over 608,000 monthly visits in April 2026, with users spending an average of more than 7 minutes per session.

Also, the FTF Live Android app, launched on April 5th, had 5K downloads on the Play Store before being recently removed.

What data was exposed?

According to Cybernews researchers, the publicly accessible Kibana dashboard exposed analytics records linked to more than 22 million sessions, along with approximately 3.47 million entries containing usernames or email-related identifiers.

The exposed records included:

ADVERTISEMENT
  • Device names and device types
  • Browser and platform details
  • IP addresses
  • Connection metadata
  • Country and language information
  • Gender information
  • User account types, including paid and free users
  • Usernames and email addresses for some accounts
  • Invoice and payment-related data for paying users

The records were stored on Elasticsearch and visualized through Kibana dashboards segmented by demographics, device type, geography, and payment status.

Data leak is putting users at risk

While no raw video conversations were exposed, researchers warn that the metadata alone may be sensitive enough to identify and track users across sessions.

“Initial analysis suggests that anyone with the right URL could review granular information about individual users and their sessions,” our researchers noted.

Because random video chat services are frequently used for intimate or explicit conversations, the metadata may indirectly expose deeply personal behavioral patterns, especially when combined with persistent identifiers such as IP addresses, usernames, and device metadata.

Researchers warned that the exposure could create heightened risks for vulnerable individuals, including LGBTQ+ users in restrictive countries, minors, or users engaging in sensitive conversations under the assumption of anonymity.

ftf live

Live backend logs were also exposed

During the investigation, researchers uncovered a second exposed service running on the same infrastructure.

ADVERTISEMENT

Dozzle, a browser-based log viewer commonly used to display real-time Docker container logs for debugging and operational monitoring, lacked proper authentication.“In this case, the Dozzle instance was openly reachable with no authentication, exposing live operational logs from FTF Live’s backend services,” our researchers explained.

The dashboard exposed live operational logs from FTF Live’s backend systems in real time. According to the researchers, the exposed logs included:

  • Plain-text passwords
  • Session tokens
  • Internal API requests
  • Backend operational events
  • Infrastructure details

The live logging exposure significantly escalated the incident's severity because attackers could observe authentication flows and backend activity as users interacted with the platform.

“The combination of public Kibana and public Dozzle instances creates a severe security risk,” our researchers explained.

The exposure effectively provided both historical analytics data and live operational visibility into the platform’s infrastructure, potentially enabling account compromise, stalking, phishing campaigns, targeted scams, or deeper infrastructure abuse.

“Anonymous” chats may not have been anonymous at all

Researchers say the incident highlights a broader industry problem surrounding “anonymous” communication platforms.

From a user perspective, many people reasonably assume that closing a random video chat window ends the interaction permanently. Instead, the research suggests extensive metadata collection may have been quietly accumulating behind the scenes for years.

Index timestamps reviewed by researchers indicate the data collection was ongoing up until the moment of discovery in late 2025. Earlier entries suggest that records may have been retained for a prolonged period, spanning a couple of years.

ADVERTISEMENT

The exact duration of public exposure remains unknown.

“The leak turns what many people assume to be anonymous and throwaway interaction into a highly traceable data trail,” researchers noted.

The exposure may also raise regulatory concerns under GDPR, CCPA, and broader consumer protection frameworks if users were led to believe interactions were anonymous while extensive tracking was taking place.

Complex ownership structure raises transparency concerns

Cybernews researchers and journalists contacted the company, but have received no response at the time of publishing.

The platform's ownership is also problematic, which might raise accountability issues. The Android version of the app was reportedly published under the name Burhan LTD, which also released Descargar Musica Mp3 Tones apps, which have over 10 million downloads. The company also released the Pink Video Chat app, which is still on the Play Store.

Meanwhile, the privacy policy identifies Cyprus-based Cooy Ads Ltd. as the platform’s data controller, while customer support and branding appear under the name Pixover.

The FTF Live Android app was reportedly removed from the Google Play Store approximately 10 days before publication.

Disclosure timeline:

Initial disclosure: December 12th, 2025
CERT contacted: January 1st, 2026

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta confirms: critical vulnerability in account recovery tool exposed over 20K Instagram users
UK to use AI to prepare for AI-induced employment challenges
Dark web drug vendor gets 26 years for selling fentanyl and meth
Meta escalates legal battle with Israeli spyware firm NSO over WhatsApp attacks
UK PM Starmer set to ban social media for Under-16s
OpenAI plans biggest ChatGPT overhaul ahead of listing
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked