ScreenJournal

The screenshot archive problem

Updated on 6 July 2026

Screenshot-based employee monitoring creates an archive of everything on workers' screens: emails, chats, credentials and client data. In 2025 one such archive leaked over 21 million screenshots from an unsecured cloud bucket. The archive is not the product of monitoring, it is its largest liability, and it is optional.

The table below puts the screenshot archive risk in verified numbers; each figure is sourced in the sections that follow.

Risk measureFigureSource and year
Screenshots exposed in the WorkComposer leak21 million+Cybernews, 2025
Screenshots and logs exposed by WebWork Tracker13 million+Cybernews, 2025
Breaches where compromised credentials were the way in22%Verizon DBIR, 2025
Average cost of a US data breach$10.22 millionIBM, 2025
Average time to identify and contain a breach241 daysIBM, 2025
Screen recording data per user on a normal office dayUp to 1 GBTeramind documentation, 2026
Typical screenshot retention window2 weeks to 12 months, per planVendor documentation, 2026
GDPR fine ceiling for breaching minimisation principles€20 million or 4% of worldwide turnoverGDPR Article 83(5)

What happened in the WorkComposer screenshot leak?

In April 2025, Cybernews researchers revealed that WorkComposer, an employee monitoring app used by more than 200,000 workers, had left over 21 million employee screenshots exposed in an unsecured Amazon S3 bucket, updating in near real time. The leak was discovered on 20 February 2025 and the bucket was finally secured on 1 April 2025.

Cybernews reported that the exposed images could reveal full-screen captures of emails, internal chats and confidential business documents, along with login pages, credentials and API keys that could be used to attack the affected businesses (Cybernews, 23 April 2025). The incident was independently covered by Tom's Guide, which summarised it plainly: chat logs, emails, passwords and more were left on the open web (Tom's Guide, 2025). WorkComposer secured access after being contacted and issued no official comment.

It was not an isolated case. In January 2025, Cybernews reported that WebWork Tracker, a remote work tracker claiming more than 140,000 users across 15,000 businesses, had exposed over 13 million screenshots and logs in another unprotected Amazon S3 bucket; the leak had been discovered in mid 2024 and took months to close (Cybernews, 2025; TechRadar, 2025). WebWork's marketing said screenshots were end-to-end encrypted; Cybernews stated flatly that this was not true. And in May 2024, the consumer monitoring app pcTattletale was found capturing screenshots of hotel booking systems that a security flaw made available to anyone on the internet; the company was hacked days later and subsequently shut down, and its founder pleaded guilty to hacking and advertising surveillance software in January 2026 (TechCrunch, 2024 and 2026).

The pattern across all three incidents is the same: the harm did not come from monitoring configuration or from any one manager's misuse. It came from the existence of a stored archive.

What does a leaked screenshot archive expose?

A screenshot archive is a copy of whatever crossed employees' screens, which means it concentrates exactly the material attackers want: credentials, session tokens, API keys, customer records and internal communications, captured at the moment they were visible.

The wider breach data shows why that matters. Compromised credentials were the initial access vector in 22% of breaches reviewed in the Verizon 2025 Data Breach Investigations Report, the kind of credentials that sit in plain sight in screenshot archives. Once a breach happens, it is expensive and slow: the average breach cost $4.44 million globally and $10.22 million in the United States in 2025, and organisations took an average of 241 days to identify and contain one (IBM Cost of a Data Breach Report, 2025). Insider misuse of stored data carries its own price: the average annual cost of insider risk reached $17.4 million per organisation in 2025 (Ponemon Institute and DTEX, 2025).

There is a second exposure that has nothing to do with attackers. A screenshot archive routinely captures things no employer is entitled to keep: a payslip open in another tab, a private message, a medical portal. Regulators have already shown they treat over-collection from workers as a violation in its own right, as the fines covered in our employee monitoring statistics show.

How fast does a screenshot archive grow?

Quickly, by the vendors' own numbers. Hubstaff can capture up to three screenshots per ten minutes per person, which is up to 144 images in an eight-hour day, doubled per extra monitor, with an add-on allowing ten times that (Hubstaff documentation, 2026). Time Doctor captures at intervals as short as three minutes and offers continuous screen video recording per plan (Time Doctor documentation, 2026).

Teramind's own sizing guidance says normal office work generates up to 1 GB of screen recording data per user per day, and between 1.5 GB and 115 GB per user per month depending on activity (Teramind documentation, 2026). Our arithmetic on those vendor figures: a 20-person team at Hubstaff's standard maximum generates up to 2,880 screenshots every working day, roughly 720,000 a year. A 100-person company at Teramind's typical rate accumulates around 2.2 terabytes of screen recordings a month.

Here is the uncomfortable part: storing all of that is cheap. At Amazon S3's standard price of $0.023 per GB-month (AWS pricing, 2026), that 2.2 terabytes costs about $50 a month to keep, and even Teramind's high-end estimate for 100 users comes to under $300 a month. Storage cost is not what should stop anyone. The real costs are the ones above: a $10.22 million average US breach, regulator attention and the burden of reviewing or defending an archive nobody can actually read.

How long do monitoring tools keep screenshots?

Between two weeks and a year, depending on vendor and plan. Retention windows come from the vendors' own documentation, and every day of retention extends the window in which an archive can leak, be subpoenaed or be misused.

The table below lists published screenshot and recording retention periods, per vendor documentation checked in June 2026.

ToolWhat is storedRetention, per vendor documentation
HubstaffScreenshots2 weeks to 6 months, per plan; 6 months is the maximum
InsightfulScreenshots and screen recordingsDeleted after 60 days
Teramind (cloud)Screen and audio recordings6 months, extendable to 12 with a compliance add-on
WebWorkScreenshots3 months to 1 year, per plan
Time DoctorScreenshots and screen videoNo published retention period

Regulation pushes the other way. GDPR's data minimisation principle requires personal data to be limited to what is necessary, and its storage limitation principle forbids keeping identifiable data longer than needed (GDPR Article 5). Breaching those principles sits in the higher fine tier, up to €20 million or 4% of worldwide turnover (GDPR Article 83(5)). The principles have teeth in monitoring cases: when France's Conseil d'État reviewed the Amazon France Logistique sanction in December 2025, it reduced the fine from €32 million to €15 million but upheld the finding that retaining every worker indicator for 31 days violated data minimisation. The vendors know this too: Time Doctor disables its screenshot feature by default for UK and EEA customers, explicitly citing GDPR (Time Doctor documentation, 2026). Nor is this only a European concern. India's DPDP Act writes an erasure duty into law once data's purpose is served, taking effect from May 2027 (DPDP Act 2023, Section 8(7)), the Philippines' Data Privacy Act requires personal information to be retained only as long as its purpose needs, subject to statutory exceptions (RA 10173, Section 11(e)), and California has applied the CCPA to employee data since 2023. This section is general information, not legal advice.

Who actually reviews the screenshots?

Mostly nobody, and that is the problem. Our arithmetic on the vendor capture rates above: even glancing at each of a 20-person team's 2,880 daily captures for two seconds would take a manager more than 90 minutes every day. In practice managers sample a handful, and the rest of the archive sits unread.

An unread archive still gets used, just not for management. It surfaces selectively in disputes: 37% of employers say they have used stored recordings as the basis for firings (ExpressVPN, 2021), and 73% of employers using monitoring software say the data has driven dismissals (ResumeBuilder, 2023). So the archive is simultaneously too large to review as a management tool and consequential enough to be weaponised after the fact, which is a poor trade for the people being recorded and a genuine liability for the company holding it. Whatever question a manager wanted answered, a pile of images was never a good answer to it; screenshots show pixels, not progress.

What is the alternative to storing screenshots?

The alternative is to derive and discard: read the screen to understand the work, keep the derived record, and delete the raw screen data. The insight a company legitimately needs, what was worked on, for how long, with what result, survives; the footage that causes breaches, disputes and regulatory exposure never accumulates.

ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.

Measured against the numbers on this page, the difference is structural rather than cosmetic. There is no bucket of 21 million images to misconfigure, no footage retention window to justify to a regulator, and no unreadable backlog, because the record is written work timelines a manager can actually read and an employee can see and redact. How derive-and-discard works in detail is covered on the derive-and-discard page, and how it compares with screenshot-based tools on ScreenJournal vs the alternatives.

Frequently asked questions

What was the WorkComposer screenshot leak?

In April 2025, researchers at Cybernews revealed that WorkComposer, an employee monitoring app used by more than 200,000 workers, had left over 21 million employee screenshots publicly exposed in an unsecured Amazon S3 bucket, updating in near real time. The images could include emails, internal chats, business documents, login pages, credentials and API keys.

How long do employee monitoring tools keep screenshots?

It varies by vendor and plan. Per their own documentation, Hubstaff retains screenshots from two weeks to six months depending on plan, Insightful deletes screenshots and screen recordings after 60 days, Teramind's cloud plans keep recordings for six months, extendable to twelve, and WebWork states three months to a year depending on plan.

Is storing employee screenshots a GDPR risk?

It can be. GDPR requires data minimisation and storage limitation, and breaches of those principles sit in the higher fine tier of up to €20 million or 4% of worldwide turnover. France's regulator sanctioned Amazon France Logistique over intrusive monitoring, and Time Doctor disables its own screenshot feature by default for UK and EEA customers, citing GDPR.

Does ScreenJournal store screenshots?

No. ScreenJournal reads on-screen work to build a timeline of what each person actually did, then deletes the raw screen data immediately during processing. There is no screenshot archive to secure, review or leak, and the work history that remains is a written record, not footage.

How were these figures verified?

Every figure was verified by web search between 18 June and 4 July 2026. Breach details come from the original Cybernews investigations and were cross-checked against independent coverage by Tom's Guide, TechRadar and TechCrunch. Capture rates, retention windows and storage sizing come from the vendors' own documentation, and the AWS storage price from Amazon's published price list. Breach cost and credential figures come from the IBM Cost of a Data Breach Report 2025 and the Verizon 2025 Data Breach Investigations Report.

Two figures on this page are our own arithmetic and are labelled as such in context: the screenshots-per-team-per-day and review-time estimates, both computed from Hubstaff's published maximum standard capture rate, and the monthly storage cost, computed from Teramind's published sizing guidance and AWS's published price. One dating nuance: the WebWork exposure was reported in January 2025 but discovered in mid 2024. We found no verifiable breach of Teramind and none is claimed here.

See the work itself, not screenshots of it

Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.