PhotoSquared data leak exposes users’ photos, information

Popular U.S.-based photo app PhotoSquared has experienced a massive data leak, according to a blog post from vpnMentor. A vpnMentor research team led by Noam Rotem and Ran Locar uncovered roughly 100,000 users’ data being exposed in the leak. The data included sensitive photos and personal information shared with the company for account creation (email, login, etc.) as well as addresses and more. PhotoSquared is used for creating “squares” of personal photos that are utilized for decorative purposes.

As the vpnMentor post states, the data was on a “completely unsecured and unencrypted” AWS S3 bucket, which is an egregious lack of basic security protocols:

The database was hosted on AWS, using an S3 bucket with the company’s name in the database URL. There were also company invoices stored alongside user photos, all of which were completely unsecured... It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

The post then goes on to give specific examples of how this incident could have been avoided:

In the case of PhotoSquared, the quickest way to fix this error would be to... make the bucket private and add authentication protocols... follow AWS access and authentication best practices... add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.

vpnMentor says it contacted PhotoSquared, which took action to close the leak. Still, users of PhotoSquared should think about not using this app. A company that cannot follow basic security practices raises questions. Additionally, any data leaked in this incident that fell into the hands of hackers can be used for identity theft, so it would be advisable for all users to monitor all banking and credit card activity for anything suspicious.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Managing Azure VMs with System Center Virtual Machine Manager

You may not know it, but System Center Virtual Machine Manager can be used for…

13 hours ago

Best and most secure VPN services for small businesses

As we adjust to a new remote work culture due to coronavirus, a secure VPN…

17 hours ago

Exchange security: Get your SPF, DMARC, and DKIM records in place

Every Exchange admin lives with the constant fear their system will be breached. Having SPF,…

20 hours ago

GE data breach exposes thousands of employee records

A GE data breach exposed a hacker’s treasure trove of employee records, including Social Security…

2 days ago

Getting speed and consistency using Linux text editors and console

Ready to go back to the future? Here’s a look at some Linux text editors…

2 days ago

Amazon GuardDuty unveils new, lower pricing tiers

The Amazon GuardDuty threat-detection service has unveiled some lower price tiers, which will be especially…

2 days ago