⚠ CONFIDENTIAL SECURITY DISCLOSURE — Sent privately to Lymow — Do not distribute ⚠

🔓 Lymow Exposes 12,956 Customer Homes
to Anyone With a Lymow Account

A critical S3 misconfiguration allows any authenticated Lymow user to download the GPS home location, property layout, and behavioral data of every Lymow customer worldwide. No hacking required — just a valid account.

Live Data — Breach Active Now
Homes Exposed
Exact GPS Locations
Mowing Sessions Leaked
AWS Regions Breached
Data Exposed Since
🏠

Exact Home Address

The charging station GPS is accurate to within meters. Combined with satellite view (shown on this map), anyone can identify the exact house, garden layout, and entry points.

📅

Owner Is Home? Check the data.

Mowing sessions expose daily routines and presence patterns. If the mower ran today, someone is home. Long gaps suggest holidays or absence — perfect for planning a break-in.

💶

High-Value Target List

A Lymow One costs €1,500–€2,500. This dataset is a ready-made list of affluent homeowners across Europe — people wealthy enough to own expensive autonomous garden robots.

🗺️

Property Intelligence

Zone maps reveal garden boundaries, access paths, and whether a property has a back garden — information a burglar would normally need to physically scout in person.

⚠ Real-World Attack Scenarios Enabled by This Breach

🦹 Scenario 1 — Targeted Burglary
1
Create a free Lymow account
2
Check the map on this page — every pin is a real home
3
GPS home locations of 12,956 Lymow owners worldwide — all accessible
4
Check mowing session dates → identify homes where nobody has been active recently
5
Confirm target address on satellite view → steal the €2,500 mower
6
Or target the home itself — wealthy owner, known to be away, exact address known
📍 Scenario 2 — Stalking / Surveillance
1
Target a known individual who owns a Lymow
2
Use MAC address or account details to identify their device
3
Track real-time occupancy via mowing session timestamps
4
Obtain exact home address without any additional effort
5
Monitor daily patterns over months of stored history
🌍 Scenario 3 — Mass Data Scraping
1
Automated script downloads all 12,956 device locations in < 10 minutes
2
Cross-reference with property databases and social media
3
Build affluent homeowner profiles for targeted phishing or fraud
4
Sell dataset on dark markets — home addresses + wealth indicators
5
GDPR fines for Lymow: up to 4% of global annual revenue

⛔ What Is Exposed Per Home

📍
GPS coordinatesCharging dock location = home address, accurate to <5 meters
🗓️
Occupancy timelineEvery mowing session with date and time — months of history
🌿
Zone namesOwner-set names: "backyard", "front garden", "pool area"
🏡
Property boundariesFull polygon coordinates of every mowing zone
🔑
Device MAC addressHardware identifier linkable to owner account
Exposed Devices ()

📡 Live Breach Map — Home GPS Locations

Click any pin to see exposed data. Zoom in to street level.