The data has been exposed for months, Gevers noted.

SenseNets hasn't commented on the findings, but it did start locking down its database after Gevers reported the security hole. He didn't know what he'd come across before disclosing the vulnerability, though, and has since regretted the move knowing that it provided insight into Chinese oversight.

While there aren't definitive conclusions about SenseNets' role, it's believed to be helping the Chinese government track Uighurs as it tries to silence political dissent and religious expression. The collection of the data is worrying by itself, but it's made all the worse by loose security -- hackers and other opportunists could have used the targets' information for fraud or other crimes. It illustrates a frequent issue with mass surveillance: even if officials don't misuse data, it becomes a tempting target for malicious actors who can find weaknesses in the databases.