- The Lifeprint application leak exhibited 2 million private photos and user information
- Poorly designed storage has also revealed firmware keys creating a risk of malicious printer
- Users are faced with threats of blackmail, identity theft and harassment from exposed data
A major confidentiality incident has exhibited millions of private photos from Lifeprint, a portable photo printer system.
Leak, discovered by researchers to Cybernessrevealed more than 8 million files, including 2 million unique photos, accessible without authentication.
Lifeprint is produced by C + A Global, a New Jersey company founded in 2003, allowing users to send images and GIFs directly from a smartphone to a connected device, or even to the printer of a friend via an application for iOS and Android, and the Android version of the application has been downloaded more than 100,000 times on Google Play.
Over 1.6 million printed photos
According to the researchers, the leak was caused by an erroneous storage bucket which left sensitive files exposed to anyone online.
The data on display included user names, email addresses and printing statistics for more than 100,000 users.
The metadata indicated that the community printed more than 1.6 million photos.
Safety problems have gone far beyond the disclosed images, because several versions of Lifeprint firmware were also left in the same public bucket and buried in these files was a private encryption key, used to sign micrologetal updates.
With this key, attackers could potentially create a malicious firmware and distribute it as a legitimate update.
This scenario, if happened, could allow hackers to divert printers, execute their own code or even fold the gear in botnets.
“This is an example of a manual of what should not be done with the IoT infrastructure”, has a Cyberness The researcher said.
“This leak shows several deviations from best practices, such as not correctly segregate user data, publication of cryptographic keys with firmware, without using appropriate access controls to guarantee that only planned users could access their files and data.”
For Lifeprint users, the consequences could be devastating, because personal details combined with photos create risk of identity, harassment and doxxing.
Intimate images could be particularly harmful, with the risk of blackmail and extortion, or the embarrassment of the long -standing public if they were to appear online.
Cyberness contacted Lifeprint’s parent company about the conclusions, but says that it has not yet received an answer. The leak was detected for the first time at the end of July 2025, and for the moment, no official declaration has been published.
