Popular photo printing app PhotoSquared has exposed thousands of customer photos, addresses and orders details.
At least 10,000 shipping labels were stored in a public Amazon Web Services (AWS) storage bucket. There was no password on the bucket, allowing anyone who knew the easy-to-guess web address access to the customer data. All too often, these AWS storage buckets are misconfigured and set to “public” and not “private.”
The exposed data included high-resolution user-uploaded photos and generated shipping labels, dating back to 2016, and was updating by the day. The app has more than 100,000 users, according to its Google Play listing.
It’s not known how long the storage bucket was left open.
One of the customer orders, including photos and the customer’s shipping address. The exposed storage bucket also had thousands of shipping labels.
Security researchers provided the name of the exposed bucket to TechCrunch. We matched a number of shipping labels against existing public records, and contacted PhotoSquared on Wednesday to warn of the exposure.
Keith Miller, chief executive of Strategic Factory, which owns PhotoSquared, confirmed that the data was no longer exposed; however, Miller declined to say if it planned to inform customers or regulators under data breach notification laws.
At the time of writing, PhotoSquared has made no reference to the security lapse on its website or its social media accounts.