‘PhotoSquared’ Spilled the Bins of 100,000 iOS and Android Users

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
Source: PhotoSquared

'PhotoSquared,' an app meant to help people create a printable version of photos they took on their smartphones, has exposed the personal data of 100,000 users. The sensitive information of these people was stored on an unprotected Amazon bucket, which researchers Noam Rotem and Ran Locar found after searching on database indexers. The date of the discovery was on January 30, 2020, while the owner was identified and contacted only four days later. Unfortunately, it took 'PhotoSquared' another ten days until they finally secured the leaking database.

The unprotected S3 bucket contained 94.7 GB of data dating from November 2016 to January 2020, so this was probably a live service system and not a backup. Each entry included the following:

These people had sent their photographs to PhotoSquared, who undertook the responsibility to store them securely, edit them as required, create 8" x 8" photo boards, and send them back to the user's home address. This service costs $48 for a set of four photo tiles, but it looks like this time, it cost the users a tad more. They are now vulnerable to identity theft, credit card fraud, malware attacks, extortion, or scams. While the exposed images were mostly pet, children, or family photos, they still hold a lot of value to malicious actors.

As 'PhotoSquared' is based in California, the CCCA (Consumer Privacy Act) law applies to them, so this case of non-compliance may bring in some punishing fines. Apart from that, though, it will definitely cost them customer trust. There are many competitors offering similar services who are ready to grab the thousands of disappointed PhotoSquared users.

The app hasn't informed the exposed individuals about the breach, which is entirely unethical at this point. These people are in danger of getting scammed by actors who may impersonate the USPS and ask them money, so they should know about what happened at the earliest.

If you have used 'PhotoSquared' since November 2016, contact the developer at "[email protected]" and request all the details about what part of your data has been exposed. Finally, you should also contact your local data protection officer and inform the organization of the incident, so that they may take the appropriate investigational steps now.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: