Last week, Swedish journalists revealed that Meta sends video footage from Meta Ray-Ban smart glasses to human data annotators at Sama, a San Francisco-based outsourcing company that runs its annotation workforce out of Nairobi, Kenya. Workers described seeing footage of people in bathrooms, bedrooms, and intimate situations. The UK's Information Commissioner opened a probe. The story dominated privacy news for days.
Nobody asked the obvious follow-up question. How secure is Sama?
We did. And the answer isn't reassuring.
Sama Credential Exposure on the Dark Web
Suzu Labs ran dark web intelligence against Sama's corporate domain (sama.com) using our threat intelligence platform. Within the last 90 days alone, we identified 118 credential entries tied to sama.com circulating across Telegram channels, underground forums, and breach databases.
Of those 118 entries, 57 are unique email addresses. Twenty-two of them appear to be legitimate corporate employee accounts. The employee names are consistent with Sama's known operations in both the US and Kenya, and several match naming patterns typical of the company's Nairobi-based annotation workforce.
Eighty-three of those entries included plaintext passwords.
Sama Employee Password Security Is Poor
We analyzed the 32 unique plaintext passwords found in the dataset.
-
88% fail basic complexity requirements (8+ characters with uppercase, lowercase, and a digit)
-
56% are under 10 characters
-
22% are under 8 characters, which wouldn't pass the minimum bar at most organizations
-
Only 9% include a special character
-
19% are digits only
-
The most reused password in the dataset appeared across 10 separate entries
These aren't passwords from 2015. The credential entries in our dataset were posted between December 2025 and February 2026. Some were shared on Telegram just weeks before the Swedish investigation broke the glasses story.
Info-Stealer Malware Is the Primary Source
Most of these credentials didn't come from some third-party breach where Sama employees happened to have accounts.
Roughly 87% came from info-stealer malware logs. That means malware was running on machines used by people with sama.com email addresses, pulling credentials and session tokens directly off the endpoint. The stealer takes everything on the machine. It doesn't filter by importance.
The stealer logs captured credentials for Google accounts, sales platforms, and ISP portals on those machines. If any of those infected endpoints were also used to access Sama's internal annotation platforms, the footage review pipeline could be exposed.
The remaining credentials appeared in named data breaches, including the Crunchbase breach and credential combo lists traded on BreachForums and Telegram distribution channels.
Risk to AI Training Data and Other Sama Clients
Sama isn't just a Meta contractor. The company is one of the largest data annotation providers in the world. Their clients have historically included some of the biggest names in AI. When you train a model, the training data goes through companies like Sama, and the people labeling that data operate on endpoints that, based on what we found, are not locked down.
The credential exposure we identified doesn't prove that Sama's annotation platform was compromised. But employee machines have been infected with info-stealer malware. The resulting credentials are being traded on the dark web right now. And the password hygiene across those accounts is poor. For an organization trusted with intimate video footage from millions of consumers, that should concern every client they have.
What Meta and Sama Should Do Now
Meta should be asking Sama hard questions about endpoint security and whether any of the compromised accounts have access to the annotation pipeline. If Meta conducted a third-party security assessment of Sama before handing over user footage, the results should be reexamined given what's now circulating on the dark web.
Sama should be running its own leaked credential monitoring. Every one of the accounts we found needs a forced password reset and MFA verification. The endpoints those credentials were stolen from need to be checked for active infections. Info-stealer logs from Sama employee machines are circulating freely. That's not a hypothetical risk. It already happened.
For other companies using third-party data annotation services, your vendor's security is your security. If you're sending sensitive data to an annotation provider and you haven't checked whether their employees' credentials are already on the dark web, you're making assumptions you can't afford to make.
How We Did This
We identified these credentials through dark web intelligence research. Password analysis was performed on the extracted plaintext credentials. No accounts were accessed, tested, or exploited during this research.
.png)
