Sama credential leaks raise fears over Meta glasses data
Suzu Labs has raised questions about the security of Sama, the outsourcing firm reported to be reviewing video footage from Meta Ray-Ban smart glasses, after it found credentials linked to Sama accounts circulating in underground channels.
The research follows reporting by Swedish journalists that said Meta sends clips captured by its Ray-Ban smart glasses to human data annotators at Sama. Workers quoted in that coverage described seeing footage recorded in bathrooms, bedrooms and other intimate settings. The UK's Information Commissioner has opened a probe into how the footage was handled.
Sama is based in San Francisco and runs an annotation workforce out of Nairobi, Kenya. It also supplies data annotation services for other AI projects, making its security posture relevant to a broad group of clients that outsource data labelling.
Credential findings
Suzu Labs ran dark web intelligence searches against Sama's corporate domain, sama.com, using its threat intelligence platform. It found 118 credential entries tied to the domain over a 90-day period, appearing across Telegram channels, underground forums and breach databases.
Of those entries, 57 contained unique email addresses. Suzu Labs said 22 appeared to be legitimate corporate employee accounts. The names were consistent with Sama's operations in the US and Kenya, and several matched naming patterns the firm associated with the Nairobi-based annotation workforce.
According to Suzu Labs, 83 of the 118 entries included plaintext passwords. It described this as a security issue because stolen login details can enable credential-stuffing attacks against corporate services. The information could also support social engineering if employee names and email addresses appear authentic.
Password hygiene
The research analysed 32 unique plaintext passwords from the dataset. Suzu Labs said 88% failed basic complexity requirements, which it defined as at least eight characters including uppercase and lowercase letters and a digit. It said 56% were under 10 characters and 22% were under eight characters.
Only 9% included a special character, the research found, while 19% were digits only. The most reused password appeared across 10 separate entries.
The credential entries were posted between December 2025 and February 2026, Suzu Labs said. Some were shared on Telegram only weeks before the Swedish reporting drew attention to the smart glasses footage.
Stealer malware
Most of the credentials did not come from a single corporate breach, according to the research. Instead, roughly 87% came from information-stealer malware logs, which are designed to extract stored usernames, passwords and session tokens from infected devices.
Suzu Labs said the stealer logs captured credentials for Google accounts, sales platforms and ISP portals on infected machines. If any of those endpoints were also used to access Sama's internal annotation platforms, it said, the footage review pipeline could be exposed.
The remaining credentials appeared in named data breaches and combo lists, Suzu Labs said. It cited the Crunchbase breach and said credential lists were traded on BreachForums and Telegram distribution channels.
Client exposure
The findings do not prove that Sama's internal annotation systems were compromised. Suzu Labs distinguished between leaked credentials and confirmed unauthorised access to corporate tools.
However, it said the evidence points to employee machines infected with information-stealer malware and poor password practices across some accounts. Together, it said, those issues increase the risk of account takeover and unauthorised access to systems used for data labelling.
Because Sama works on AI datasets, Suzu Labs said the potential impact is not limited to any single client. Data annotation providers often handle sensitive material, including training data and media supplied under confidentiality terms. If leaked credentials belong to staff with access to annotation systems, the risk can extend across multiple projects.
Calls for action
Suzu Labs said Meta should scrutinise Sama's endpoint security and review what access any compromised accounts might have. It also urged Meta to re-examine any third-party security assessment completed before user footage was shared.
It also recommended that Sama run its own leaked-credential monitoring, force password resets for accounts identified in the dataset, and verify multi-factor authentication. Suzu Labs said the endpoints implicated in the leaks should be checked for active infections.
The firm framed the issue as a broader vendor-risk problem for companies that outsource data annotation. Organisations sending sensitive data to annotation providers, it said, should verify whether vendor employee credentials have already been exposed in underground markets.
"Last week, Swedish journalists revealed that Meta sends video footage from Meta Ray-Ban smart glasses to human data annotators at Sama, a San Francisco-based outsourcing company that runs its annotation workforce out of Nairobi, Kenya. Workers described seeing footage of people in bathrooms, bedrooms, and intimate situations. The UK's Information Commissioner opened a probe. The story dominated privacy news for days," said Mike Bell, founder and CEO of Suzu Labs.
"Nobody asked the obvious follow-up question: How secure is Sama? We did. And the answer isn't reassuring," Bell said.
"Most of these credentials didn't come from some third-party breach where Sama employees happened to have accounts. Roughly 87% came from info-stealer malware logs. That means malware was running on machines used by people with sama.com email addresses, pulling credentials and session tokens directly off the endpoint. The stealer takes everything on the machine. It doesn't filter by importance," Bell said.
Suzu Labs said it identified the credentials through dark web intelligence research and analysed extracted plaintext credentials. It said no accounts were accessed, tested or exploited during the work.