‘PhotoSquared’ Spilled the Bins of 100,000 iOS and Android Users

• The 'PhotoSquared' app exposed billing and order details, as well as images of users who sent them for printing.
• The data stored in an online database was left unprotected for at least two weeks.
• Scammers may now impersonate USPS, extort the users, send them malware, or abuse their credit card information.

'PhotoSquared,' an app meant to help people create a printable version of photos they took on their smartphones, has exposed the personal data of 100,000 users. The sensitive information of these people was stored on an unprotected Amazon bucket, which researchers Noam Rotem and Ran Locar found after searching on database indexers. The date of the discovery was on January 30, 2020, while the owner was identified and contacted only four days later. Unfortunately, it took 'PhotoSquared' another ten days until they finally secured the leaking database.

The unprotected S3 bucket contained 94.7 GB of data dating from November 2016 to January 2020, so this was probably a live service system and not a backup. Each entry included the following:

• Full names
• Physical address
• Order details
• User photos sent for editing and printing
• USPS shipping labels

These people had sent their photographs to PhotoSquared, who undertook the responsibility to store them securely, edit them as required, create 8" x 8" photo boards, and send them back to the user's home address. This service costs $48 for a set of four photo tiles, but it looks like this time, it cost the users a tad more. They are now vulnerable to identity theft, credit card fraud, malware attacks, extortion, or scams. While the exposed images were mostly pet, children, or family photos, they still hold a lot of value to malicious actors.

As 'PhotoSquared' is based in California, the CCCA (Consumer Privacy Act) law applies to them, so this case of non-compliance may bring in some punishing fines. Apart from that, though, it will definitely cost them customer trust. There are many competitors offering similar services who are ready to grab the thousands of disappointed PhotoSquared users.

The app hasn't informed the exposed individuals about the breach, which is entirely unethical at this point. These people are in danger of getting scammed by actors who may impersonate the USPS and ask them money, so they should know about what happened at the earliest.

If you have used 'PhotoSquared' since November 2016, contact the developer at "happy2help@photosquared.com" and request all the details about what part of your data has been exposed. Finally, you should also contact your local data protection officer and inform the organization of the incident, so that they may take the appropriate investigational steps now.