Popular photo app, PhotoSquared, has exposed the privacy and security of 100,000s of its users due to an exposed database.
Researchers at vpnMentor discovered the database on January 30, to which the AWS S3 bucket was found unsecured with no password protection.
The database in question contained over a million records, amounting to 94.7 GB of data dating from November 2016 to January 2020.
The database included full names, home/delivery addresses, order values in USD, user photos, PDF order records and receipts and USPS shipping labels.
Exposing such large amounts of data will have significant impact on the business, as PhotoSquared has many competitors offering similar services, thus the company is at risk of losing its customers to its competitors, in addition to losing its market share.
“Data privacy is a huge concern for many people, and they may be reluctant to trust an app that doesn’t take more robust data security measures,” wrote vpnMentor.
The app has puts its users in danger, online and offline: “By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.”
Users could also be targeted for online theft and fraud.
The database was fixed 10 days after being contacted by the researchers.
“It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket.”