An open database exposed at least 11 million photographs after the Theta360 photo sharing system run by Ricoh was breached.
“The data breach exposed thousands of users’ photos, many of whom chose to keep their images private,” according to a blog post from vpnMonitor, whose researchers, Noam Rotem and Ran Locar, discovered the database. “The breach did not expose users’ most personal information, but in many cases, we located their usernames, first and last names, and the captions they wrote in the exposed database.”
While the researchers couldn’t directly access users’ social media accounts through the system, they said information exposed included user names, usernames, each photo’s universal unique identifier (UUID), captions and privacy settings.
The UUID’s allowed access to any exposed photo and in some cases, the researchers could easily connect the usernames in the database to the user’s social media account.
Rotem and Locar discovered the leak on May 14 and contacted Theta360 on May 15, receiving a response that same day. By May 16, Theta360 had closed the leak.
“Exposing personal photos publicly is a major violation of customer privacy,” said Jonathan Bensen, CISO and senior director of product management at Balbix, giving Ricoh the nod for taking immediate action but noting“organizations should not be relying on third-party researchers to detect this kind of vulnerability.”
Bensen added that it's impossible for humans alone to monitor all assets that may be vulnerable to attack or exposure, but machine learning and artificial intelligence tools can—and should—be leveraged by organizations to continuously monitor for risk and vulnerabilities.