Another day, another data breach putting user data at risk – This time, PhotoSquared, a popular photo app for Android and iOS has suffered a massive leak after exposing highly personal data of hundreds and thousands of users.
Based in the United States; PhotoSquared lets users upload their photos to the app which are then converted into light-weight photo boards that are physically delivered to users. PhotoSquared also charges a fee for each conversion depending on the type of board.
Currently, PhotoSquared has over 100,000 installs on Android devices while it is also popular among iPhone users. The bad news is that PhotoSquared has leaked personal data of more than 100,000 users – All of it completely unsecured and unencrypted.
According to vpnMentor’s research team led by Noam Rotem and Ran Locar, PhotoSquared had the data stored on an unprotected Amazon Web Service (AWS) S3 bucket that was available for public access on the internet. The database itself was hosted somewhere in the State of Maryland.
The team published its detailed analysis in a blog post revealing that the exposed database contained the following:
- Full name of users
- Home/delivery addresses
- Photos uploaded by users for editing
- USPS shipping labels for delivery of photo tiles
- Order records in PDF files and order values in USD
In total, the database had 94.7GB worth of data dating from November 2016 to January 2020. At the time of publishing this article, PhotoSquared had secured the data based on information received by PhotoSquared from vpnMentor however it took the company (PhotoSquared) ten days to do so.
Our team was able to access this bucket because it was completely unsecured and unencrypted. The purpose of this web mapping project is to help make the internet safer for all users, researchers said.
It is unclear whether the database was accessed by a third-party with malicious intent. In case it was accessed by someone else chances are that the information can now be used against victims in the shape of identity theft, blackmailing and phishing scams, etc.
PhotoSquared customers are advised to get in touch with the company and question the breach and the means it secures your data or if it secures your data at all.
This is not the first time when vpnMentor’s research team has identified such trove of data being exposed online. Last year, the company announced accessing SMS and personal data of millions of Americans hosted on Microsoft Azure.