VPNMentor reports that their research team has discovered that Theta360 inadvertently left users’ photos — even those intended to be private — exposed.
The leak exposed at least 11 million public and private photographs.
The data breach exposed thousands of users’ photos, many of whom chose to keep their images private. The breach did not expose users’ most personal information, but in many cases, we located their usernames, first and last names, and the captions they wrote in the exposed database.
Read more about their findings and methods on VPNMentor. It’s not clear from their reporting whether any unauthorized entities did access and/or exfiltrate data, but the report claims that it was possible to not only access private profiles but private photos:
The final example below demonstrates the extent to which the leak compromised users’ privacy. Here, the user chose to mark their account as unlisted. This should have masked their presence on Theta360. The account was not only visible on the database, but we could also access the user’s private pictures.
Ricoh posted the following statement on their web site on May 31. It appears to suggest that accessing private photos may not have been as easy as VPNMentor’s post might have suggested:
Notification regarding unlisted images on Theta360.com
May. 31, 2019
Ricoh was recently notified of a configuration issue related to unlisted images on the Theta360.com website and corrected it within hours. We can confirm that our immediate remediation measures are now complete. However, it is important to note that prior to remediation, unlisted images were not directly viewable. Someone would have needed the technical knowledge and the desire to locate the other components required to complete the URL providing access.
We take the security of customer information extremely seriously. In today’s rapidly evolving business environment, Ricoh continually reviews protocols and optimizes security to ensure the safety of all the information contained on theta360.com.