Millions of photos, including private and unlisted images, taken by Theta360 camera owners have been left exposed in an open database, security researchers from vpnMentor have found. The hactivists uncovered a leak which leaves at least 11 million images exposed, along with usernames, first names and last names of users in many cases.
Thousands of Theta360 devices have been sold since its release in 2014, allowing users to upload and share their images and videos to the cloud using the camera for “safe-keeping”. It is this cloud database that was left exposed, revealing the images and their information to anyone with access. The exposed data included:
- The user’s name
- UUID (Universal Unique Identifier) of each photo posted
- Caption included on each post
- Privacy settings
By inserting the UUID of the photos into the Elasticsearch database, anybody who knows where to look could easily access any exposed photos. In some cases, it would also be easy to connect the usernames in the database to the user’s social media account.
Ricoh, the electronics company who run Theta360, was informed of the data breach and resolved the issue within one day ensuring the leak is now closed. It is unclear how long the database was open for in total. While the build date of the open database suggests it was created on April 1, the researchers at vpnMentor only uncovered it and resolved the issue on May 14 – over a month later. This means the unprotected images may have been open to any malicious actors for over a month.
What’s the Impact?
While Theta360’s database obscured more sensitive data like location coordinates, this was a major privacy breach that could have a far-reaching impact if malicious actors had the opportunity to download the database.
Many users who posted photos privately chose to hide personal or private information. For example, some parents choose to keep images of their children private, as they do not want pictures of their child to be freely available on the internet. Other parents might feel that posting pictures of their children is an invasion of the child’s privacy. For these parents, having the images freely available could be considered as damaging.
Family privacy aside, if we combed through all 11 million posts, we could have uncovered illicit photos that were intended to remain private. Publicising illicit photos can have far-reaching consequences for the subjects. In some professions, this could cost a user their job, as was the case of a teacher whose nude picture was leaked.
For others, more shadily, leaked photos may reveal information about affairs or even vacations that need to remain secret. Geotags in data can also easily lead to more sensitive information about the locations of user at the time of taking.
How The Breach Was Discovered
vpnMentor discovered the leak in Theta360’s database through their web-mapping project. Led by Ran Locar and Noam Rotem, the research team scans ports to look for known IP blocks. They then use this information to find open holes in the company’s web systems. They can then look for leaks and other weaknesses.
The researchers often have an idea of where a leak may be coming from, which they can use to examine the database to confirm its identity.
After discovering the leak, they contact the owner of the database to inform them about holes in their security. If possible, they also alert the affected users. This way, they can work with companies to make the internet safer and more secure. Although vpnMentor examined the data available, their research team did not download the database itself in order to uphold our ethical standards.
The full report can be found here.
vpnMentor are a VPN comparison site, demystifying the world of VPNs through honest reviews and clear, digestible guides about VPNs and web security. They are committed to improving the safety and security of the web, working with white hat hackers to uncover data breaches before malicious actors can, and ensuring they are resolved.