- Lifeprint App Leak presented 2 million private photos and user information
- The poorly configured storage also revealed firmware keys creating risk of malicious printers kidnappings
- Users face blackmail threats, identity theft and wardrobe of exposed data
A large privacy incident has exhibited millions of private photos of Lifeprint, a system of portable photographic printers.
The leak, discovered by researchers in CybernewsHe revealed more than 8 million files, including 2 million unique photos, which were accessible without authentication.
Lifeprint is produced by C+a Global, a New Jersey company founded in 2003, which allows users to send images and GIF directly from a smartphone to a connected device, or even to the printer of a friend through an application for iOS and Android, and the Android version of the application has been downloaded more than 100,000 times on Google Play.
More than 1.6 million printed photos
According to the researchers, the escape was caused by a poorly configured storage cube that left sensitive files exposed to any person online.
The exposed data included user names, email addresses and print statistics for more than 100,000 users.
The metadata indicated that the community has printed more than 1.6 million photos.
Unfortunately, the security problems went far beyond the leaked images, since multiple versions of the Lifeprint firmware were also left in the same public cube and buried in those files there was a private encryption key in text without format, used to sign firmware updates.
With this key, the attackers could create a malicious firmware and distribute it as a legitimate update.
That scenario, if happens, could allow computer pirates to kidnap printers, execute their own code or even fold the devices in botnets.
“This is an example of textbook what not to do with IoT infrastructure”, a Cybernews The researcher said.
“This leak shows multiple deviations from best practices, such as not adequately segregating user data, publishing cryptographic keys together with the firmware, do not use adequate access controls to ensure that only planned users can access their files and data.”
For users of life equipment, the consequences could be devastating, since the personal data combined with photos create risks of identity theft, harassment and doxx.
Intimate images could be particularly harmful, with the risk of blackmail and extortion, or lasting public shame if they appeared online.
Cybernews He contacted Lifeprint’s parent company about the findings, but says he has not yet received an answer. The escape was first detected at the end of July 2025, and from now on, no official statement has been issued.
