Clearview, a secretive facial-recognition startup that claims to scrape the Internet for images to use, has itself now had data unexpectedly scraped, in a manner of speaking. Someone apparently popped into the company's system and stole its entire client list, which Clearview to date has refused to share.

Clearview notified its customers about the leak today, according to The Daily Beast, which obtained a copy of the notification. The memo says an intruder accessed the list of customers, as well as the number of user accounts those customers set up and the number of searches those accounts have conducted.

"Unfortunately, data breaches are part of life in the 21st century," Tor Ekeland, an attorney for Clearview, told The Daily Beast. "Our servers were never accessed. We patched the flaw and continue to work to strengthen our security."

Clearview vaulted from obscurity to the front page following a report by The New York Times in January. The paper described Clearview as a "groundbreaking" service that could completely erode privacy in any meaningful way.

The company at the time claimed to have in place 600 agreements with law enforcement agencies to use its software, which allegedly aggregated more than 3 billion facial images from other apps, platforms, and services. Those other platforms and their parent companies—including Twitter, Google (YouTube), Facebook (and Instagram), Microsoft (LinkedIn), and Venmo—all sent Clearview cease and desist letters, claiming its aggregation of images from their services violates their policies.

Clearview, which stresses its service is "available only to law enforcement agencies and select security professionals," refused repeatedly to share client lists with reporters from several outlets. Reporters from The New York Times and BuzzFeed both dove into several of the company's marketing claims and found some strong exaggerations. Clearview boasts that its technology helped lead to the arrest of a would-be terrorist in New York City, for example, but the NYPD told BuzzFeed Clearview had nothing to do with the case.

In the face of public criticism, the company made exactly two blog posts, each precisely two paragraphs long. The first, under the subject line "Clearview is not a consumer application," insists, "Clearview is NOT available to the public," emphasis theirs. It adds, "While many people have advised us that a public version would be more profitable, we have rejected the idea."

Four days later, the company added another post, stressing that its code of conduct "mandates that investigators use our technology in a safe and ethical manner." While "powerful tools always have the potential to be abused," the company wrote, its app "has built-in safeguards to ensure these trained professionals only use it for its intended purpose."

Clearview did not at any point say what these safeguards might be, however, nor has it explained who qualifies as "select security professionals."

Other companies that partner with law enforcement for surveillance technologies have also not always been successful in attempts to keep their client lists on the down-low. Amazon, for example, attempted just that with its Ring line of products. After repeated media reports tried to draw out the details, however, Ring finally went public with a list of 405 agencies last August and through February 13 at least has kept updating the list of those (now 967) deals.