Talk about a snappy attack - popular photo booth maker allegedly leaves user images at risk

News
By published

Snaps taken at photo booths get uploaded on the internet

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • A flaw in Hama Film’s website exposed photo‑booth images from the US, UAE, and Australia to anyone who knew where to look
  • Researchers saw 1,000+ images from Melbourne booths, and says photos were accessible for up to 24 hours
  • Even short‑term exposure enables identity abuse: fake profiles, scams, bypassing selfie checks, and building synthetic identities

A popular photo booth chain found across the US, UAE, and Australia was found to store all its image data on a server which can (easily) be accessed through the website of the device manufacturer, essentially exposing people’s identities to potentially malicious players, experts have warned.

Cybersecurity researcher alias Zeacer told TechCrunch that one point, they were able to view more than 1,000 pictures for Melbourne-based booths.

Zeacer reached out to Hama Film to notify it of the vulnerability in its website, but received no response - forcing the researcher to reached out to the media, sharing a sample of pictures taken from the company’s servers which showed groups of clearly young people posing in photo booths.

A thousand exposed photos

While this definitely limits the number of pictures exposed at a given moment, a particularly persistent attacker (or one that automates their work) could still download all of the photos passing through the infrastructure.

Once hackers obtain these photos, the abuse potential multiplies fast. Clear facial images can be used to create convincing fake social media profiles, which are then weaponized for romance scams, investment fraud, or social engineering attacks.

Cybercriminals can use stolen photos to pass basic identity checks, register for online services, or bypass weak “selfie verification” systems. In some cases, they can even be paired with leaked personal data to apply for jobs, open accounts, or build synthetic identities.

Even if we ignore the obvious question - why would a photo booth store these pictures anywhere in the first place - it is also worth mentioning that the images don’t appear to be stored permanently.

Zeacer’s initial investigation determined that the photos get deleted every two to three weeks, but later said they actually get removed after 24 hours.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.