[BreachExchange] Theta360 leak exposes 11 million photos, user data

[Destry Winant]

https://www.scmagazine.com/home/security-news/privacy-compliance/theta360-leak-exposes-11-million-photos-user-data/

An open database exposed at least 11 million photographs after the
Theta360 photo sharing system run by Ricoh was breached.

“The data breach exposed thousands of users’ photos, many of whom
chose to keep their images private,” according to a blog post from
vpnMonitor, whose researchers, Noam Rotem and Ran Locar, discovered
the database. “The breach did not expose users’ most personal
information, but in many cases, we located their usernames, first and
last names, and the captions they wrote in the exposed database.”

While the researchers couldn’t directly access users’ social media
accounts through the system, they said information exposed included
user names, usernames, each photo’s universal unique identifier
(UUID), captions and privacy settings.

The UUID’s allowed access to any exposed photo and in some cases, the
researchers could easily connect the usernames in the database to the
user’s social media account.

Rotem and Locar discovered the leak on May 14 and contacted Theta360
on May 15, receiving a response that same day. By May 16, Theta360 had
closed the leak.

“Exposing personal photos publicly is a major violation of customer
privacy,” said Jonathan Bensen, CISO and senior director of product
management at Balbix, giving Ricoh the nod for taking immediate action
but noting“organizations should not be relying on third-party
researchers to detect this kind of vulnerability.”

Bensen added  that it’s impossible for humans alone to monitor all
assets that may be vulnerable to attack or exposure, but machine
learning and artificial intelligence tools can—and should—be leveraged
by organizations to continuously monitor for risk and vulnerabilities.