Security researchers say a misconfigured server owned by the controversial facial recognition company, Clearview AI, exposed its software’s source code as well as internal credentials and keys.

According to TechCrunch, which first reported on the flaw, Mossab Hussein, the chief security officer at SpiderSilk, a security firm based in Dubai, uncovered a flawed Clearview server storing sensitive data, allowing users to bypass its password protection.

Specifically, Hussein found that a misconfiguration allowed anyone to register as a new user and access the database containing Clearview’s code regardless of whether they had entered password.

TechCrunch reports that, in addition to source code that would allow anyone to use Clearview’s software, the database also contained passwords and other keys that would allow one to access the company’s cloud storage buckets.

Finished versions of Clearview’s apps for iOS and Android as well as pre-developer beta versions were contained in those buckets, TechCrunch reports.

Additionally, TechCrunch reports that the database contained what’s known as a ‘token’ that would allow one to access the company’s Slack channel where employees send private messages.

Clearview’s CEO and founder Hoan Ton-That confirmed the flaw to TechCrunch and said that it ‘did not expose any personally identifiable information, search history or biometric identifiers.’

Ton-That also accused Spider Silk of extortion but emails reviewed by TechCrunch show that Hussein notified Clearview of its security lapse and declined to accept a bug bounty since the company requires a non-disclosure agreement.

The agreement would prevent Hussein from going public with its findings.

As noted by TechCrunch, it’s not atypical for companies to require that researchers accept non-disclosure agreements in exchange for a bug bounty – a payment – for findings flaws in their security.

Clearview AI software allows its customers to identify people by uploading photos to the company’s servers, where they’re compared against a database of more than 3 billion photos pulled from Facebook, YouTube, Twitter, and even Venmo.

The service was reportedly used by at least 600 different law enforcement agencies in the last year, including the Chicago Police Department, the Department of Homeland Security and the FBI.