[BreachExchange] PhotoSquared data leak leaves 94.7GB of customer data exposed online including names, addresses

Destry Winant destry at riskbasedsecurity.com
Wed Feb 19 10:08:46 EST 2020 

https://www.hindustantimes.com/tech/photosquared-data-leak-leaves-94-7gb-of-customer-data-exposed-online-including-names-addresses/story-stsC8h4OiVI0858fe4KQQO.html

Researchers recently discovered that a popular photo app called
PhotoSquared leaked personal data and images of thousands of
customers. This leak happened as a result of an ‘unsecured’ Amazon Web
Services (AWS) storage bucket.

The discovery of this leak was made by vpnMentor who found that a
misconfigured s3 database belonging to PhotoSquared was left online
without any password protection.

PhotoSquared creates printed photo boards from customers’ digital images.

The S3 database had 94.7GB of data and contained more than 10,000
records from November 2016 to January 2020 including photos, order
records, receipts, shipping labels etc.

Full names and home delivery addresses of PhotoSquared’s customers
were left exposed online in the leak and any hacker could use this
information.

According to vpnMentor, “PhotoSquared’s reputation could suffer as a
result of the data leak and the company could also face compliance
fines”, reports TechRadar. Additionally, in the report detailing its
investigation, vpnMentor noteed that PhotoSquared customers could be
targeted by both hackers and thieves, saying:

“By combining a customer’s home address with insights into their
personal lives and wealth gleaned from the photos uploaded, anyone
could use this information to plan robberies of PhotoSquared users’
homes. Meanwhile, PhotoSquared customers could also be targeted for
online theft and fraud. Hackers and thieves could use their photos and
home addresses to identify them on social media and find their email
addresses, or any more Personally Identifiable Information (PII) to
use fraudulently.”

This data leak was found through a simple port scanning exercise but
thankfully PhotoSquared was able to fix the leak within just 10 days
after the company was contacted by the researchers.

More information about the BreachExchange mailing list