A privacy controversy surrounding Meta Platforms’ Ray-Ban smart glasses has taken a new turn after security researchers uncovered dozens of exposed credentials linked to the company’s data-annotation contractor.
Last week, Swedish outlets Svenska Dagbladet and Göteborgs-Posten reported that footage captured by Meta’s smart glasses (developed with Ray-Ban) was being reviewed by human annotators working for outsourcing firm Sama.
According to those interviewed for the report, some of the clips included highly sensitive scenes filmed in bathrooms, bedrooms, and other private settings. The revelations prompted the UK’s data protection watchdog, the Information Commissioner’s Office, to open an investigation.
Now, new research by Suzu Labs suggests the company responsible for reviewing that footage may itself have a security problem.
Security firm Suzu Labs says it discovered 118 credential entries linked to the domain sama.com circulating across Telegram channels, underground forums and breach databases in the past 90 days.
Of those entries, researchers identified 57 unique email addresses and 22 accounts believed to belong to legitimate employees. Several of the names appear to align with Sama’s known operations in both the United States and Kenya, where the company runs a large annotation workforce.
More concerning, 83 of the exposed entries included plaintext passwords.
A Lack of Password Strength
As part of the analysis of the leaked credentials, it was discovered that there was a lack of password strength, with almost 88% of passwords failing to meet basic complexity requirements, with over half of these having fewer than ten characters, and one in five consisting of only digits. Few had special characters, and one password was repeated in ten different entries.
The credentials are recent, posted between December 2025 and February 2026, with some appearing on Telegram only weeks before the smart-glasses investigation became public.
Most of the data appears to originate from info-stealer malware infections rather than traditional database breaches. According to the researchers, roughly 87% of the exposed credentials were pulled from malware logs, meaning malicious software was running on devices used by people with Sama email addresses and harvesting stored passwords, cookies and session tokens directly from those machines.
Info-stealers typically capture everything present on an infected endpoint, including login details for web services, corporate systems and personal accounts. Logs examined by the researchers included credentials for Google accounts, sales platforms and internet service portals.
If any infected machines were also used to access Sama’s internal annotation tools, the footage review pipeline itself could potentially be exposed.
Questions About Vendor Security
Sama plays a critical role in the AI supply chain. The company is one of the world’s largest data-annotation providers, supplying labeled datasets used to train artificial intelligence systems for major technology firms. In practice, that means sensitive data (images, video, text, and audio) often passes through contractors like Sama before it ever reaches an AI model.
The exposed credentials do not prove that Sama’s internal platforms were breached. But the presence of employee logins in active info-stealer datasets suggests that some endpoints used by staff have already been compromised.
For companies relying on third-party annotation providers, that raises broader questions about vendor security.
Anyone sending sensitive data to an annotation provider, should realize their endpoint security becomes your security, the researchers noted. Assuming those environments are locked down without verifying it is a risk.
Meta in the Crosshairs
The findings come at a particularly sensitive moment for Meta as regulators have eyes on how the company handles the data collected by wearable devices. Smart glasses, which continuously capture photos and video in public and private environments, come with unique privacy challenges, particularly when that footage is later reviewed by human moderators.
Researchers say both Meta and Sama should move quickly to assess whether any of the exposed accounts had access to annotation systems and to ensure affected credentials are reset and protected with multi-factor authentication.
They also recommend checking compromised endpoints for active infections and monitoring dark-web marketplaces for newly leaked credentials tied to employee accounts.
For companies building AI systems with the help of external data-labeling firms, the incident highlights a growing reality of modern cybersecurity: your vendors’ vulnerabilities can quickly become your own.
An Architectural Issue
Michael Bell, Suzu Labs CEO, sees the core issue is architectural: “Ambient computing devices are advancing faster than the security models meant to govern them. As smart glasses move from novelty to workplace technology, organizations may need to treat them less like accessories and more like network-connected endpoints with real data-security implications.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.