Private photos leaked by PhotoSquared’s unsecured cloud storage – Naked Security

Recognize anybody you know?

(Anonymized) photos leaked from PhotoSquared’s unsecured S3 bucket IMAGE: vpnMentor

No, likely not. No thanks to the leaky photo app they dribbled out of for that, though. After coming across thousands of photos seeping out of an unsecured S3 storage bucket belonging to a photo app called PhotoSquared, security researchers at vpnMentor blurred a few.

They also blurred a sample from a host of other personally identifiable information (PII) they came across during their ongoing web mapping project, which has led to the discovery of a steady stream of databases that have lacked even the most basic of security measures.

In this case, as they wrote up in a report published this week, the researchers came across photos uploaded to the app for editing and printing; PDF orders and receipts; US Postal Service shipping labels for delivery of printed photos; and users’ full names, home/delivery addresses and the order value in USD.

PhotoSquared, a US-based app available on iOS and Android, is small but popular: it has over 100,000 customer entries just in the database that the researchers stumbled upon.

Customer impact and legal ramifications

vpnMentor suggested that PhotoSquared might find itself in legal hot water over this breach. vpnMentor’s Noam Rotem and Ran Locar note that PhotoSquared’s failure to lock down its cloud storage has put customers at risk of identity theft, financial or credit card fraud, malware attacks, or phishing campaigns launched with the USPS or PhotoSquared postage data arming phishers with the PII they need to sound all that much more convincing.

A breach of this kind of data could also lead to burglary, they said:

By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.

Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.

The legal hot water that may await could be found in California, vpnMentor suggests, given its newly enacted California Consumer Privacy Act (CCPA), with the law’s new, strict rules about corporate data leaks.

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.