A popular photo app has leaked the personal data and images of hundreds of thousands of customers via an unsecured Amazon Web Services (AWS) storage bucket, it has emerged.
Researchers at vpnMentor discovered the misconfigured S3 database, which was left without any password protection, belonged to PhotoSquared, a company which creates printed photo boards for users that send in their digital images.
They found a 94.7GB trove containing over one million records dating from November 2016 to January 2020. The data included user photos, order records and receipts and shipping labels.
As such, a hacker with access to the database could harvest full names and home delivery addresses from customers.
This doesn’t just present a reputational risk for PhotoSquared, which vpnMentor notes is operating in a crowded marketplace, and possible compliance fines, but a serious security risk for its customers.
This could include follow-on phishing and identity fraud as well as potential physical attacks.
“By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes,” argued vpnMentor.
“Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.”
Discovered by a simple port scanning exercise, the leak was eventually fixed by PhotoSquared on February 14, 10 days after the firm was contacted by the researchers.
The app has over 100,000 installs on Google Play.
PhotoSquared joins multiple other brands that vpnMentor has found to have leaked data in a similar way, including Yves Rocher, Freedom Mobile and LightInTheBox.