A misconfigured server at controversial facial recognition company Clearview AI left its source code publicly accessible, which could potentially have been used to run its app from scratch, TechCrunch reports. Some of the company’s secret keys and credentials, which granted access to Clearview AI’s cloud storage buckets could also reportedly be accessed. Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app in those buckets, according to the report. This company’s entire client list was stolen in a breach earlier this year.

Access to private communication was also possible: The compromised server was discovered by Mossab Hussein, Chief Security Officer at cybersecurity firm SpiderSilk, who said that anyone could log in to the company’s servers by registering as a new user, due to the misconfigured server. The company’s Slack tokens were also reportedly exposed, which could potentially be used to access its private messages and communications.

Video footage of residential building exposed: Around 70,000 videos of a residential building located in Manhattan were also accessible due to the misconfigured server, but the company’s founder Hoan Ton-That told TechCrunch that the footage had been captured with the permission of the building’s management as part of attempts to prototype a security camera. He also said that this flaw “did not expose any personally identifiable information, search history or biometric identifiers”.

Clearview AI’s database has been built using ‘public’ images: Clearview AI had first come under the scanner when New York Times reported in January that the service was built by collecting images from across the web. Its controversial facial recognition software requires a user to feed a person’s image into it, and then pulls out all matching faces from its database. The software pulls facial data from all publicly available images online, including from Twitter, Facebook, Google, Instagram, YouTube, news articles, and more. The result is a database of unprecedented scale — over 3 billion images to be exact — to potentially identify any person walking on the street, with just a single image.

The company has government and private clients, including in Saudi Arabia: While the company had maintained that it offers its face recognition tool to only government agencies, a BuzzFeed News report had found that Clearview AI had sold its service to private companies including BestBuy and Macy’s. The report had also found that the company was selling technology to law enforcement agencies, government bodies and police forces in 27 countries including Saudi Arabia, the United Arab Emirates and India.

Police in Gujarat planning to to use Clearview’s service: In February, we reported that the Vadodara City Police, in the Indian state of Gujarat, is planning to use Clearview AI’s controversial facial recognition software in public places such as railway stations and bus depots, and to track “property offenders”. The department had piloted the software earlier this year.