Theta360 Exposed 11 Million Photographs Through Its Unsecured Database

Another security lapse has breached users’ privacy as the researchers discovered an unsecured database. This incident related to the Theta360 breach, where the firm leaked millions of users’ photographs from their database.

Theta360 Breach Exposed Users’ Photographs

The hacktivists duo from VPNMentor, Noam Rotem and Ran Locar, come across another unprotected database leaking user records. This time, they unveil the Theta360 breach, reporting how the firm exposed users’ photographs via an unsecured database.

As stated in a blog post, the leaky database exposed at least 11 million private and public photographs of the users.

We could access more than 11 million unencrypted posts from Theta360’s database.

While the leaked information didn’t include any other personal data, it did include the users’ names and captions. Precisely, the breached details included names, usernames, UUID (Universal Unique Identifier) of every photograph, caption, and privacy settings. Anyone having access to the database could use these details to find more about the users. As the researchers stated,

By inserting the UUID of the photos into the Elasticsearch database, we could access any exposed photos. In some cases, we could easily connect the usernames in the database to the user’s social media account… Additionally, using the same methods, we could access photos from users’ private profiles.

Besides, they could also view the ‘unlisted’ user profiles and related private photos.

Database Now Closed

The researchers found the exposed Theta 360 database on May 14, 2019. The very next day, they informed the firm of the breach. Theta360 promptly responded to their report. Consequently, the database went offline on May 16, 2019. The researchers duly appreciate the firm’s promptness in handling the matter – something not very common to businesses.

Recently, the duo had also reported the security lapse at Freedom Mobile. That time, the firm left 5 million records exposed on the unprotected database.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients