All-in-One Platform GoHighLevel Exposed Attachments From Their Clients Publicly

Millions of files with all kinds of private information exposed. The data belonged to companies in multiple countries.

Mar 27, 2025

Sometimes it’s a challenge to ID the owner

At the start of September 2024 I was researching publicly exposed cloud storage servers and noticed a server with a generic name and what seemed like contact attachments inside.

I listed all the files exposed on the server and their sizes and I got the following:

Text within this block will maintain its original spacing when published
14,355,237 files
11.95 TB

I scrolled through the file list but all the links I saw looked just like this:

https://myunsecurecloud.storage/server-name/HASH1/HASH2/GUID.filetype

I noticed ‘HASH1’ on the url was likely an ‘account ID’ and ‘HASH2’ was likely a ‘contact ID’. I can’t confirm if either hash is exactly what I think they are but I will mention them as such throughout the post.

I started checking some of the files and I kept seeing a lot of different things from all kinds of industries and different countries around the world:

Healthcare documents, SSN cards, various types of insurance related documents, passports, IDs, drivers licences, contracts for various household product installations, CVs, waivers, credit card data, mortgage protection cards, sensitive selfies and more.

Nothing was pointing me to the server owner and most account IDs I was looking at, I couldn’t identify whose company the data belonged to either.

Examples of the exposed files on the server. Image 1 contains a Insurance Rapport. Image 2 contains a Insurance application form. Image 3 contains a Australian passport used to verify age to make a body piercing. Image 4 contains a life insurance application. Image 5 contains a letter sent with a social security card. Image 6 contains an Equifax consumer report. — Examples of the exposed files on the server.

I generated a list of unique account IDs and their file counts and sorted it. Over 8,000 account IDs contained at least 100 attachments exposed.

I started checking a few samples per account ID and taking notes.

Text within this block will maintain its original spacing when published
Unique account IDs - 47,885
Unique contact IDs - 5,944,430

I didn’t find any clues as to who was responsible for the server but I matched a few account IDs to companies with data exposed on the server.

Trying to contact some companies for help

During September 2024 I sent emails to three companies that I confirmed had data exposed here to try and get help identifying the 3rd party responsible for the server but I didn’t get a single reply to any of the emails I sent.

This didn’t look like it would be easy to figure out and I wasn’t getting anywhere so I just moved on to report other things.

Trying a different approach

In January 2025 I had some free time and I got back to this server.

Eventually by looking more into the companies with the data exposed here I assumed some kind of CRM/All-in-One platform was responsible for the server.

One of the things I found out was websites of companies that I identified contained the account ID hash present on their image urls.

I used this information to search google for indexed images of around 200 account ID hashes and identified around ~80 websites and web forms that linked back to the exposed data.

Websites linked back to things such as:

Insurance & hiring agencies, multiple solar related companies, a bike rental company, a wellness clinic, tattoo and piercing shops and more.

A lot of the websites linked back to companies in the United States but I also saw multiple others from companies in Canada, Australia, Philippines, Pakistan and more.

One of the account IDs with around 55,000 exposed files was for a body piercing shop in Australia and the files were selfies of piercings done and identity documents. The documents could be matched to a selfie by the contact ID hash. Some of the selfies I saw were quite sensitive.

Other accounts IDs seemed to only have been used to ‘mass’ email and contained just default SBC documents (Summary of Benefits and Coverage) and/or digital signatures.

I found a couple other account IDs with peoples selfies in underwear/completely naked with no other identifiers as to who the person was or who the account ID belonged to.

Screenshot of the notes from the 50 account IDs with the highest file counts. Redacted company websites/names and account IDs to protect their privacy. — Notes from the 50 account IDs with the highest file counts.

Oh, Hello There!

One account ID I identified linked back to a workshop from GoHighLevel.

GoHighLevel is an All-in-One platform and their website contained an hash that matched one of the account IDs on my list but it only showed around 2,200 files exposed.

I took a better look at the custom domain url hosting the website images of all the websites I identified previously.

Some google searches later, I got a link to a suggestion on GoHighLevel’s website. After searching some more on the website I actually found something that confirmed GoHighLevel owned the exposed server:

Someone mentioned the server I was looking at, on a post in 2021.

Another post, made in May 2022, had someone suggesting to make signature links secure by only allowing access to logged in users, at the time you could open the links without authentication. The post didn’t mention if the server also allowed unauthenticated listing of the files or not back then but contained a link directly from the cloud storage server.

Contacting GoHighLevel

On January 22nd 2025 I looked through GoHighLevel’s website to try and get an email or form to report this issue. I eventually found a page about reporting security vulnerabilities: https://www.gohighlevel.com/security-response.

On this webpage it says to send reports to security.reports@gohighlevel.com so I sent an email alerting them of the issue they had and got an automated reply back.

Partial transcript of the email: We're writing to let you know that the group you tried to contact (security.reports) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post: * You might have spelled or formatted the group name incorrectly. * The owner of the group may have removed this group. * You may need to join the group before receiving permission to post. * This group may not be open to posting. — Automated response from GoHighLevel’s security.reports email.

Apparently the security reports group either didn’t exist or wasn’t accepting reports from external emails. I tried a gmail account and got the same result.

The next day I sent an email to legal@gohighlevel.com explaining the above email didn’t work and then provided the information I tried to send the day earlier.

Email sent to GoHighLevel with some examples of the exposed data and where I found the connection to them. Redacted some information to protect the privacy of the affected clients. — Initial alert email sent to legal@gohighlevel.com.

While querying my logs for some extra information, by coincidence, I found another server that also belonged to GoHighLevel. Same naming scheme for server and files, but only around 14,000 files exposed.

Less than 12 hours after my initial email, the unauthenticated listing was disabled on the main server. I didn’t get a reply and the next day I emailed them again.

On this email I mentioned I saw the listing was disabled but the links still worked and whoever listed the server before they fixed it could still download all the files they listed. This was specially concerning since a partial list of the server files was indexed on at least one website, possibly more, since at least July 2023.

I also mentioned the other server I found. The next day that server also got unauthenticated listing disabled.

Silence and then… an NDA?

I wasn’t sure what was going on and if they were working on fully fixing the issue or not but the company didn’t reply to either of the emails I sent and I was busy with other incidents so I just waited for a bit.

On February 13th I noticed the links stopped working and the next day someone from GoHighLevel’s legal team sent me an email.

The company thanked me for bringing this to their attention as they heavily invest in cyber security services and those didn’t detect this ‘vulnerability’ and said they addressed the issue and considered it resolved.

The email then goes on to say they were ‘hoping I did not intend to publicly disclose this discovery’ as their intent was to comply with legal obligations to notify impacted customers but it was important the message came directly from them and if I was willing to enter an NDA. They sent a copy of it for me to sign.

An hour later I got another email, this time mentioning they noticed a public post I made about this incident on social media.

They asked me to remove the post and any other public comments on the matter and mentioned they were open to discuss a ‘token of appreciation’ for ‘my disclosure’ and ‘removal of any public posts’.

I replied back saying I would not sign any NDA but I would delay my publication to give them time to get a notice out to their clients.

The company eventually got back to me on February 25th giving me some more information regarding their intent with the NDA and what they did to secure the data and also said they ‘notified the potentially affected customers’.

Final comments

I don’t know what ‘potentially affected customers’ exactly means here neither have I seen any copy of the notification so I’m not aware of who exactly was notified or what was said.

I sent an email to one of the companies I tried to contact back in September 2024 asking if they got any notification but I didn’t get any reply back.

Text within this block will maintain its original spacing when published


If you’re interested in more incidents I dealt with, you can check all my public finds indexed by country on the post below:

The Hub of Stupi... *misconfigs Index

JayeLTee

November 5, 2024

Read full story

The Hub of Stupi.. *misconfigs

The Hub of Stupi... *misconfigs Index

Comments