Meta Outsourcer Exposed in Massive Credential Leak
Research from Suzu Labs reveals over 100 compromised credentials at Sama, the firm reviewing sensitive smart glasses footage.
- By Jesse Jacobs
- Mar 06, 2026
Evidence of security lapses at a major data annotation firm has raised new questions about the privacy of users wearing AI-powered eyewear. Research released by Suzu Labs indicates that Sama, an outsourcing company used by Meta to review video captured by its smart glasses, has suffered a significant exposure of corporate credentials.
The findings come shortly after reports that human annotators in Kenya were tasked with reviewing footage from the glasses, which at times included intimate moments recorded in private settings. Suzu Labs, using dark web intelligence tools, identified 118 credential entries tied to the company’s corporate domain circulating on underground forums and Telegram channels.
The dataset included dozens of unique email addresses and plaintext passwords. Security analysts noted that 88% of the analyzed passwords failed to meet basic complexity requirements, with many being shorter than eight characters or consisting entirely of digits.
The exposure is particularly concerning given the nature of the data handled by the firm.
Information-stealer malware, designed to siphon login tokens and passwords from infected devices, was the source for the majority of the leaked data. If an employee's workstation used to access internal annotation platforms is compromised, the entire pipeline of user footage could be at risk.
Industry experts emphasize that third-party risk management is a critical component of data security. When companies outsource the processing of sensitive biometric or visual data, the security posture of the vendor becomes a direct extension of the primary company's risk profile.
Meta has previously stated that it uses contractors to improve its AI services and that data is filtered to protect privacy, including the blurring of faces. However, the current leak suggests that the human element of this supply chain may remain a vulnerable link.
Security professionals recommend that organizations handling sensitive consumer data implement multi-factor authentication and rigorous endpoint monitoring to prevent credential stuffing and malware-based breaches.