Anonymity Stripped: Unsecured Kibana and Dozzle Dashboards Leak 22 Million FTF Live Video Chat Records

The FTF Live video-chat ecosystem, which explicitly guaranteed its consumer base absolute anonymity during randomized social interactions, has suffered a severe misconfiguration exploit exposing the volatile session metadata of millions of individuals to the public internet. Threat intelligence cells at Cybernews isolated an unauthenticated Kibana dashboard tied directly to the platform’s infrastructure, confirming that the exposure facilitated the unhindered parsing of deep analytics surrounding user identities and transport-layer configurations.

FTF Live functions as a browser-native web application hosted at ftf.live alongside a dedicated mobile framework. Such real-time communication platforms are engineered to minimize onboarding friction: users grant immediate hardware access to camera and microphone peripherals, specify a transient pseudonym coupled with topical interests, and are promptly paired with global interlocutors via an automated matchmaking loop—an architecture heavily dependent upon the platform’s ironclad promises of anonymity.

Per forensics compiled by Cybernews, the unsecured Kibana instance exposed data records charting in excess of 22 million discrete connection events. Approximately 3.47 million of these data points harbored explicit usernames or distinct identifiers mapped to active electronic mail coordinates. The data exposure similarly comprised rich host environment configurations—including device nomenclature, operating system classifications, browser user-agent strings, and hardware platform metrics—alongside public IP addresses, granular routing logs, geopolitical geolocations, localized linguistic settings, user tier classifications, and, critically for premium subscribers, structural billing and payment transaction records.

While investigators validated that the raw real-time multimedia streams themselves escaped public exposure, the exfiltrated metadata clusters proffer sufficient analytical leverage to dynamically track and de-anonymize individuals across multiple distinct connection cycles—a correlation particularly potent when cross-referencing persistent IP addresses, static profile names, and rigid device signatures. Within the paradigm of a randomized chat utility, this specific dataset possesses heightened sensitivity, given that the user base routinely engaged in intimate or highly candid interactions under the explicit assumption of absolute digital privacy.

This exposure introduced severe downstream hazards for highly vulnerable demographics, including LGBTQ+ communities navigating oppressive regulatory regimes, minors, and individuals exchanging sensitive personal disclosures. The aggregated telemetry provides adversarial syndicates with a comprehensive staging ground to execute targeted spear-phishing campaigns, persistent surveillance operations, financial extortion schemes, and credential-stuffing incursions.

During the containment and triaging phase, Cybernews isolated a secondary unsecured service operating within the identical infrastructure core. Dozzle, a lightweight utility designed to stream real-time Docker container logs directly to a browser viewport, was discovered accessible entirely absent authentication controls. This management exposure facilitated the real-time, public streaming of FTF Live’s internal core application daemons.

These active log files, according to Cybernews, routinely rendered plaintext administrative passwords, active session tokens, un-sanitized internal API queries, operational subsystem events, and internal network architecture manifests. This specific operational failure compounded the severity of the primary data exposure, as it empowered malicious onlookers to dynamically monitor the internal execution state of the back-end infrastructure concurrent with live user engagement.

Security analysts deduce that the simultaneous exposure of the historical Kibana datastore and the live Dozzle log-streaming framework presented an absolute security collapse for FTF Live. The former asset systematically exposed historical aggregated analytics, whereas the latter provided a real-time blueprint of active, low-level internal server operations.

The precise absolute scale of the compromise remains challenging to independently validate. While the underlying indices indicate a historical exposure field encompassing millions of identities, adjacent digital traffic metrics from Semrush document a more conservative baseline, logging roughly 608,000 monthly visits during April 2026, with an average engagement duration exceeding seven minutes. The Android iteration of FTF Live was introduced to the Google Play Store on April 5, rapidly accumulating 5,000 installations prior to its recent, abrupt extraction from the marketplace by Google’s compliance teams.

Temporal markers embedded within the exposed index databases reveal that data harvesting was continuous up until its discovery in late 2025. Legacy entries confirm that the historical data preservation architecture spanned multiple fiscal cycles. The absolute temporal window during which these administrative control panels remained exposed to opportunistic internet scanning remains unquantified.

Cybernews initiated responsible disclosure processes with the organization, yet the platform maintainers failed to proffer an official response prior to publication. The underlying corporate ownership matrix behind the asset remains profoundly labyrinthine. Regulatory filings indicate the Android framework was deployed under the corporate banner of Burhan LTD, an entity also credited with publishing the Descargar Musica Mp3 Tones application suite—boasting over 10 million downloads—alongside the active Pink Video Chat utility. Conversely, the core privacy documentation designates Cyprus-registered Cooy Ads Ltd. as the principal data controller, while secondary technical support structures and brand assets are explicitly tied to an entity trading as Pixover.

Cybernews initially cataloged the structural anomaly on December 12, 2025, subsequently escalating the compromise to regional CERT authorities on January 1, 2026, to enforce systemic remediation.