Researchers have discovered that a popular photo app leaked the personal data and images of thousands of customers as a result of an unsecured Amazon Web Services (AWS) storage bucket.
The discovery was made by vpnMentor whose researchers found that a misconfigured S3 database belonging to the company PhotoSquared, which creates printed photo boards from customers’ digital images, was left online without any password protection.
The S3 database stored 94.7GB of data and contained over 10,000 records from November 2016 to January 2020. User photos, order records, receipts and shipping labels were all exposed as a result of the data leak.
As the full names and home delivery addresses of PhotoSquared’s customers were left exposed online, any hacker could use this information to launch attacks against them.
PhotoSquared data leak
According to vpnMentor, PhotoSquared’s reputation could suffer as a result of the data leak and the company could also face compliance fines. Additionally, in its report detailing the investigation, vpnMentor notes that PhotoSquared customers could be targeted by both hackers and thieves, saying:
“By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes. Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.”
The data leak was found through a simple port scanning exercise but thankfully PhotoSquared was able to fix the leak just 10 days after the company was contacted by the researchers.