Thousands of webcam accounts exposed online

Security Camera Monitor
(Image credit: Shutterstock)

The creators of an app used to control several different webcams have left an Elasticsearch database containing user data exposed on the internet without a password.

The database belongs to the app Adorcam which is used to view and control P2P IP cameras from Zeeporte and Umino. The app itself has over 10,000 downloads on the Google Play Store as well as some less than favorable reviews regarding its functionality.

The discovery of the exposed database was made by security researcher Justin Paine who alerted Adorcam and the company has since secured it with a password.

In a blog post detailing his discovery, Paine explained that the database contained around 124m rows of data on several thousand users of the app. In addition to personal information about webcam owners such as their email addresses, the database also contained live details about user's webcams including their location, whether the microphone was active and the name of the home network these cameras were connected to.

Exposed database

In order to verify that Adorcam's database was updating live, Paine created a new account, searched for and eventually found his information included with other users of the app.

While the data contained in the database did not contain too many sensitive details on Adorcam users, it could be used by cybercriminals to craft phishing emails or for other types of extortion online.

At the same time, Pain discovered evidence that stills captured from his webcam were being uploaded to the app's cloud but unfortunately he was unable to verify this since the links had already expired. Inside the database, he also found hardcoded credentials for Adorcam's MQTT server. While Paine didn't test these credentials as it would be against US law, he did inform the app's creators who then changed the server's password to prevent others from accessing its data.

In his report on the matter, Paine pointed out that the information contained in the database distinguished between Adorcam's Chinese users and its users outside of China, saying: 

“One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example:  request_adorcam_cn_user  vs. such as request_adorcam_abroad_user.  Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.” 

Via TechCrunch

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Latest in News
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning