Microsoft Recall’s Hidden Danger: Why Your Screenshots Are a Cybercriminal’s Goldmine

A shocking revelation, the July 2025 report validates the concerns of security experts: On Windows 11 devices, Microsoft's AI-powered Recall feature is surreptitiously gathering passwords, credit card numbers, and other private information and storing it in plaintext. Despite being promoted as a productivity tool, Recall gives hackers access to a wealth of information that might destroy both individuals and companies.

How Recall Endangers You

• Covert Data Collection

                By default, Recall collects screenshots every five seconds, recording:

                Enter your login information in password managers.

                Credit card information when making transactions online

                Private correspondence and documents

                C:\Users\[User]\AppData\Local\CoreAI\Recall is the location of an unencrypted SQLite database containing all of them.

• Zero Security Measures

               The recorded data is not encrypted.

               No user requests to block sensitive apps (banking apps, browsers)

               Full database access is granted via local admin credentials.

• Attack Situations

               Device Theft: 60 seconds to retrieve sensitive data's lifetime.

               Ransomware/malware: covert database exfiltration of Recall.

               Employees gaining access to executives' past activities poses an insider threat.

Real Example: In just three minutes, researchers were able to recover six months' worth of a CEO's Slack conversations, encrypted app passwords, and banking sessions.

Microsoft's Insufficient Solutions

Recall's July 2025 "security update," despite criticism, does not:

• Encrypt data while it's at rest (plaintext only).

• Card numbers are clearly visible, but important fields are hidden.

• Observe enterprise group policies, which are by default activated.

4 Urgent Mitigation Steps

• Disable Recall Immediately

               Powershell: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "DisableCoreAI" -Value 1 -Force

• Purge Existing Data

               Delete %LocalAppData%\CoreAI\Recall folders on all devices.

• Block Recall via Intune/GPO

               Enforce registry disablement across your network.

• Scan for Stolen Data

                Use HaveIBeenPwned or dark web monitors to check for leaks.

The Greater Danger: AI Features Exceeding Security Recall is an example of a risky pattern:

• Basic encryption is absent from 73% of "productivity AI" tools (Forrester 2025).

• Data gathering by default is against the CCPA and GDPR.

• Employees unintentionally produce archives of corporate espionage.

Protect Your Data Against Recall-Style Threats with Bayon Technologies Group

Don’t let AI "helpers" become your downfall. We deliver:

✅ Recall Emergency Response

      Disable Recall + purge databases network-wide

      Forensic scans to identify exposed data

✅ AI Security Hardening

      Policy enforcement for Copilot, Recall, and AI plugins

      Real-time monitoring of unauthorized data capture

✅ Encryption-First Architecture

      Full-disk encryption + database/file-level protection

✅ Employee Training

      Simulated phishing + "AI feature risks" workshops