Photo App Data Breach Shares More Than Just Your Photos

Smile and say cheese? Well, not after the recent discovery that a PhotoSquared app data breach exposed not only the personal pictures of their app users, but leaked their confidential information as well. The popular photo app spilled the data of over 100,000 users in a breach that could have been easily avoided. Its cloud server, an AWS (Amazon Web Services) S3 storage bucket, was hosted in Maryland and held over a million client records. It was found that 94.7GB’s were openly held in the S3 server and could easily be accessed by bad actors. The revelation by vpnMentor also found user PII (Personally Identifiable Information) that was there for the taking from November 2016 to January 2020. Clients of the photo app were unaware their sensitive photos and PII were publicly available during that time, leaving them vulnerable targets for online theft, fraud, and even home robberies.

The PhotoSquared breach included confidential PII such as name and home addresses found on shipping labels. In the hands of a hacker, that information can lead to identifying customers on social media, access to email address, pictures of family members and friends, and possessions in a home where photos were taken. Having that PII is a red carpet for cybercriminals, inviting them to steal identities, commit financial or credit card fraud, phishing campaigns, and attack users with malicious software like spyware and ransomware. Any way you look at it, a positive picture becomes a negative when PII is left unsecured on a public-facing server, no matter who’s at fault.

It didn’t help those affected by the data breach to know it was an easily avoidable error on the part of PhotoSquared that put their security at risk. Although a misconfigured AWS S3 cloud server was the reason for the breach, PhotoSquared should have checked all configurations before making the server active. Businesses that store customer data should step-up their cybersecurity (or lack thereof) practices and take responsibility for the safety and security of PII. A simple security measure like making sure a data bucket is set on “private” and not on “public” can avoid a lot of headaches and a massive hit to a company’s reputation.

Server authentication and access practices need to be followed closely, as well as adding extra protection layers like multifactor authentication, to restrict unauthorized access from all entry points. Users affected by instances like this should take a moment to change passwords immediately after they learn of an event. Use strong passwords that are unique for each account and include numbers, upper- and lower-case letters, and special characters to keep your accounts as safe as you can make them.

Unfortunately, this is not the first time a poorly configured cloud server led to a data breach and the concern is that it won’t be the last.