Photo printing application PhotoSquared reportedly exposed thousands of customer information following an unsecured Amazon Web Services storage bucket. Approximately 10,000 shipping labels were compromised by the leak.
PhotoSquared is a company that specializes in printing photo boards from digital images sent in by their customers.
vpnMentor security researchers first found the vulnerability after seeing a misconfigured S3 database on the web. Researchers were conducting a simple port scanning activity. Upon tracing its origins, the researchers found that the unsecured database belonged to PhotoSquared. The database was reportedly left without password protection, states Tech Radar.
The database found by vpnMentor contained 94.7 gigabytes worth of data, spanning over 10,000 records from November 2016 to January 2020. As the storage bucket was left unprotected, visitors and potential hackers could easily gain access to the customer data.
According to Tech Crunch, the compromised data include addresses as well as personal customer photos. In addition, order details and shipping labels were also made vulnerable to the public. Full names were also left exposed.
Currently, Tech Crunch states the PhotoSquared app has 100,000 users around the globe.
The repercussions of the data leak are massive, particularly for PhotoSquared’s reputation and finances. Apart from facing possible legal battles and huge fines, the trustworthiness and credibility of the company could come into question.
Moreover, the customers’ safety and protection have also come under threat. Identity fraud and phishing activities may result from the incident.
In its report, vpnMentor remarked, “By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.”
vpnMentor also said, “Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.”
The photo printing company was able to issue a fix for the incident on February 14, 2020, 10 days after vpnMentor reached out to the firm.
Strategic Factory chief executive officer Keith Miller acknowledged the breach. Miller also confirmed to Tech Crunch that the aforementioned data was no longer exposed and vulnerable. However, the chief executive did not reveal its plans of informing regulators, authorities, and customer of the incident.
As of writing, the photo printing company has yet to issue a statement regarding the data leak.