Popular U.S.-based photo app PhotoSquared has experienced a massive data leak, according to a blog post from vpnMentor. A vpnMentor research team led by Noam Rotem and Ran Locar uncovered roughly 100,000 users’ data being exposed in the leak. The data included sensitive photos and personal information shared with the company for account creation (email, login, etc.) as well as addresses and more. PhotoSquared is used for creating “squares” of personal photos that are utilized for decorative purposes.
As the vpnMentor post states, the data was on a “completely unsecured and unencrypted” AWS S3 bucket, which is an egregious lack of basic security protocols:
The database was hosted on AWS, using an S3 bucket with the company’s name in the database URL. There were also company invoices stored alongside user photos, all of which were completely unsecured… It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
The post then goes on to give specific examples of how this incident could have been avoided:
In the case of PhotoSquared, the quickest way to fix this error would be to… make the bucket private and add authentication protocols… follow AWS access and authentication best practices… add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
vpnMentor says it contacted PhotoSquared, which took action to close the leak. Still, users of PhotoSquared should think about not using this app. A company that cannot follow basic security practices raises questions. Additionally, any data leaked in this incident that fell into the hands of hackers can be used for identity theft, so it would be advisable for all users to monitor all banking and credit card activity for anything suspicious.
Featured image: Shutterstock