Sanctioned keylogger, unlocked back end

An endpoint agent that records keystrokes is a keylogger. The label on the purchase order does not change the technique. User behaviour analytics, insider-risk monitoring, data loss prevention all name the same primitive: MITRE T1056.001, Input Capture: Keylogging. The reported Meta incident gets framed as an AI-training story. That framing is noise. Collecting keystroke telemetry from employee workstations is a deliberate design decision. The failure is what happened to the data after collection. It sat in a store reachable without authentication.

Separate the two events. Collection is a policy choice. Exposure is a control failure. The first is sanctioned, internal, and invisible to the endpoint’s own defences. The second is CWE-306, Missing Authentication for a Critical Function, layered on CWE-200, Exposure of Sensitive Information to an Unauthorised Actor. The AI angle is a procurement justification. The breach is a back end with no access control. Treat what follows as analysis of the failure class. The structural mechanics are the same whether the specific corpus is what early reporting claims or smaller.

Keystroke telemetry does not stay on the endpoint. The agent hooks input - SetWindowsHookEx with WH_KEYBOARD_LL on Windows, an event tap or accessibility API on macOS, an X11 or evdev reader on Linux - buffers it, and ships it to an ingestion endpoint. From there it lands in an object store, a search index, or a log pipeline. Each hop is a point where access control either holds or does not. The exposure occurs at the store. A misconfigured S3 bucket policy. An Elasticsearch or Kibana instance bound to 0.0.0.0 with no authentication realm. A blob container set to public read. The pattern is decades old and it does not require a software vulnerability to trigger. It requires a permission set that grants read to an unauthenticated principal.

No exploit is needed. That is the point. Discovery is passive. Shodan and Censys index exposed Elasticsearch nodes, open S3 endpoints, and naked Kibana dashboards continuously. MITRE T1596, Search Open Technical Databases. An actor queries for the service banner, finds the open store, and issues an unauthenticated GET. MITRE T1530, Data from Cloud Storage. The keystroke corpus transfers over HTTPS with a 200 response. No memory corruption, no privilege escalation, no lateral movement. The data handling was the vulnerability and the configuration was the exploit.

The supply chain dimension is where this stops being one company’s isolated mistake. Employee-monitoring agents are frequently third-party SaaS. The agent ships keystroke telemetry to the vendor’s cloud back end, not the employer’s. The most sensitive data an organisation produces, what its staff type including credentials to its own systems, transits and rests in a vendor’s infrastructure, under the vendor’s access controls, behind the vendor’s configuration discipline. The trust boundary extends to a party the employer does not operate. pcTattletale, mSpy, and Spyhide were all vendor-hosted. The employer selected the tool. The vendor lost the data. The liability lands on both. This is the same trust inversion that makes a compromised build-pipeline scanner dangerous. A component installed for oversight becomes the single largest aggregation of exactly the data an attacker wants, parked outside the installing party’s span of control.

Keystroke telemetry is the highest-value collection class an attacker can inherit. It captures input before any application-layer protection applies. Credentials are recorded as typed, before TLS wraps them and before a password manager masks them. MFA codes are captured at entry. Session tokens and API keys pasted into terminals or browser fields land in the stream. Internal hostnames, source code, Slack messages, and email drafts are all keystrokes. The dataset is a pre-assembled credential harvest. MITRE T1552, Unsecured Credentials, with the attacker never touching the target’s production systems. Whoever reads the store inherits everything every monitored employee typed during the collection window. Retention extends the blast radius. A store holding months of keystrokes is months of credentials, not a snapshot.

Session material matters more than passwords. A captured password meets a rotation policy and MFA on next login. A captured session token replays until it expires. This is the Okta lesson from the 2023 support-system incident, where session tokens lifted from uploaded HAR files enabled access without re-authentication. MITRE T1550.004, Use Alternate Authentication Material. Keystroke telemetry that includes pasted bearer tokens or cookies hands an attacker live sessions, not hashes. Vault hygiene does not help here. The secret is captured at the keyboard before it ever reaches the vault.

The pattern has precedent and the actors are not nation-state. pcTattletale, a consumer and workplace monitoring application, exposed real-time device screenshots through a misconfigured AWS endpoint in May 2024. The store was then wiped and the front end defaced. mSpy, Spyhide, and Spytech, the stalkerware and employee-monitoring category, have each leaked their collected surveillance data through unsecured back ends. The throughline is consistent. Tools built to watch employees and partners concentrate sensitive telemetry into a single store, and that store is repeatedly the weakest control in the chain. Exposed Elasticsearch instances alone account for recurring multi-billion-record leaks. The actor profile is opportunistic. Data brokers, extortion crews, and scraping operations of the ShinyHunters type pull exposed stores and resell or extort. They do not need to breach Meta. They need Meta, or Meta’s vendor, to leave the store open.

On the endpoint, nothing fires. A signed, allowlisted corporate agent calling a keyboard hook is sanctioned behaviour. EDR exempts it. Sysmon Event ID 1 logs the process and Event ID 7 logs the image load, but the binary is on the allowlist and the events read as noise to the SOC. This is the structural blind spot. The monitoring tool is exempt from the monitoring. The identical keyboard hook from an unsigned binary triggers a behavioural alert immediately. From the corporate agent it is invisible by policy. Detection engineering cannot catch collection it has been instructed to ignore. The agent’s own beacon to the vendor domain is allowlisted egress, so the exfiltration of keystrokes off the endpoint generates no alert either.

On the exposure side, the only signal is access logging on the store itself. S3 server access logs and CloudTrail GetObject events record unauthenticated reads. A reverse proxy or a Cloudflare front end logs the request and the source ASN. None of it fires if logging is disabled, and exposed stores are exposed precisely because their configuration was never reviewed, which means the access logging was almost certainly never enabled either. The exfiltration is silent. Collection is invisible by design and exfiltration is invisible by neglect. The realistic detection is a correlation rule for unauthenticated 200 responses against the telemetry store from non-corporate ASNs, but that rule only exists where someone already knew the store needed watching. The defender usually sees the breach when the data appears on a forum, not when it is first read.

There is no patch. No memory-safety bug exists to fix and no version boundary closes the gap. The control is access governance on the telemetry store and minimisation of what the agent captures at source. Keystroke-level collection that records credentials and session tokens is a liability the moment it is written to disk, regardless of where that disk sits.

Post-exposure, the residual is total within the collection window. Every credential that transited the keystroke stream is burned and assumed compromised. Rotation is mandatory, and password-only rotation is insufficient because captured session tokens replay until expiry under T1550.004. Active sessions must be invalidated server-side, not merely re-authenticated. The data does not un-leak. Any actor who pulled the store retains a copy after the bucket is closed. Closing the permission ends new reads. It does nothing about reads already served.

For an entity operating in Australia, exposed employee telemetry is a notifiable matter under the Privacy Act, and for regulated critical-infrastructure operators the SOCI Act obligations attach. The collection itself raises a lawful-basis and proportionality question independent of the breach. The escalation path is the security team and the privacy officer, not a configuration rollback. A rollback closes the hole. It does not address the corpus already in circulation, the sessions already replayable, or the reason keystroke-level capture was writing credentials to an unauthenticated store at all.

The framing is the joke. The AI-training story makes it sound sophisticated. The actual failure is a public bucket fronting a third-party surveillance pipeline. The keylogger worked exactly as specified. The data handling did not. That is the whole incident.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.