A major hacking operation to snoop on government and military officials in 21 countries has been traced back to Lebanon's security headquarters after bungling spies accidentally uploaded the files to the internet and left them online.

The surveillance campaign, dubbed Dark Caracal, retrieved call logs, audio recordings, WhatsApp messages, location information and browsing history of thousands of victims' smartphones across North Africa, Europe, the Middle East and North America, according to a report published Thursday.

The report by a mobile security firm Lookout and digital rights group Electronic Frontier Foundation claimed suspected test devices - a set of phones that appear to have been configured to roadtest the spyware - all seemed to have connected to a WiFi network active at the site of Lebanon's security headquarters.

The "prolific" hacking arsenal was only discovered after Lebanese spies published a gigabyte of stolen data on the internet.

"It's almost like thieves robbed the bank and forgot to lock the door where they stashed the money," Mike Murray, head of intelligence at Lookout, told Associated Press.

By sifting through the stolen information, security experts were able to deduce that victims included members of the military, government officials, medical practitioners, education professionals and academics from a range countries including Germany, Italy, Russia, South Korea, the US and Syria. British officials appear not to have been affected.