Archives

packaging

PhotoSquared app exposed customer photos and shipping labels

Popular photo printing app PhotoSquared has exposed thousands of customer photos, addresses, and orders details.

At least ten thousand shipping labels were stored in a public Amazon Web Services (AWS) storage bucket. There was no password on the bucket, allowing anyone who knew the easy-to-guess web address access to the customer data. All too often, these AWS storage buckets are misconfigured and set to “public” and not “private.”

The exposed data included high-resolution user-uploaded photos and generated shipping labels, dating back to 2016 and was updating by the day. The app has more than 100,000 users, according to its Google Play listing.

It’s not known how long the storage bucket was left open.

One of the customer orders, including photos and the customer’s shipping address. The exposed storage bucket also had thousands of shipping labels. (Image: TechCrunch)

Security researchers provided the name of the exposed bucket to TechCrunch. We matched a number of shipping labels against existing public records, and contacted PhotoSquared on Wednesday to warn of the exposure.

Keith Miller, chief executive of Strategic Factory, which owns Photosquared, confirmed that the data was no longer exposed, but Miller declined to say if it planned to inform customers or regulators under data breach notification laws.

At the time of writing, PhotoSquared has made no reference to the security lapse on its website or its social media accounts.

This is the best way to give cash as a gift without being totally boring

This is the best way to give cash as a gift without being totally boring

Giving cash as a gift? Boring. Impersonal. And let’s be honest, it’s kind of a copout for when you don’t know what to get somebody.

But if you’re going to give cash, do it right. Twitter user @TwoClawsMedia is showing us how. 

None of the kids wanted toys for Christmas this year, they just wanted cash. Understandable, but cash as a gift, while practical, always feels impersonal, so I made special packaging. Went over well pic.twitter.com/urXVCHtDyW

— Donnachaidha O’Chionnaigh (@TwoClawsMedia) December 26, 2019

He explained on Twitter that the kids in his family wanted cash for Christmas. “Understandable, but cash as a gift, while practical, always feels impersonal, so I made special packaging.” Read more…

More about Cash, Packaging, Holidays 2019, Culture, and Web Culture

Tuft & Needle exposed thousands of customer shipping labels

Mattress and bedding giant Tuft & Needle left hundreds of thousands of FedEx shipping labels containing customer names, addresses, and phone numbers on an unprotected cloud server.

More than 236,400 shipping labels were found on an Amazon Web Services (AWS) storage bucket without a password, allowing anyone who knew the easy-to-guess web address access to the customer data. Often, these AWS storage buckets are misconfigured by the owner by being set to “public” and not “private.”

The exposed labels were created between 2014 and 2017 during the company’s early years. Tuft & Needle was founded in 2012 in Arizona. But some labels were printed as recently as 2018.

It’s not known for how long the storage bucket was left open.

Two customer shipping labels of the hundreds of thousands exposed. We have redacted the shipping labels to protect the customers’ privacy. (Screenshot: TechCrunch)

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

We contacted Tuft & Needle about the data exposure on Monday. The storage bucket was quickly shut down.

“We’ve secured any potential exposure and are investigating the matter further,” said spokesperson Brooke Figlo in an email.

Tuft & Needle said it would “comply” with any applicable state data breach notification laws, but did not explicitly say if the company would inform customers of the security lapse.