An open database exposed at least 11 million photographs after
the Theta360 photo sharing system run by Ricoh was breached.
âThe data breach exposed thousands of usersâ photos, many of whom chose to keep their images private,â according to a blog post from vpnMonitor, whose researchers, Noam Rotem and Ran Locar, discovered the database. âThe breach did not expose usersâ most personal information, but in many cases, we located their usernames, first and last names, and the captions they wrote in the exposed database.â
While the researchers couldnât directly access usersâ social media accounts through the system, they said information exposed included user names, usernames, each photoâs universal unique identifier (UUID), captions and privacy settings.
The UUIDâs allowed access to any exposed photo and in some cases, the researchers could easily connect the usernames in the database to the userâs social media account.
Rotem and Locar discovered the leak on May 14 and contacted
Theta360 on May 15, receiving a response that same day. By May 16, Theta360 had
closed the leak.
âExposing personal photos publicly is a major violation of customer privacy,â said Jonathan Bensen, CISO and senior director of product management at Balbix, giving Ricoh the nod for taking immediate action but notingâorganizations should not be relying on third-party researchers to detect this kind of vulnerability.â
Bensen added  that itâs impossible for humans alone to monitor all assets that may be vulnerable to attack or exposure, but machine learning and artificial intelligence tools canâand shouldâbe leveraged by organizations to continuously monitor for risk and vulnerabilities.
Gloss