A company that makes photo booths is putting customers' photos and videos online because of a simple flaw in the website where the files are stored, according to a security researcher.
The researcher, known as Zeacer, alerted TechCrunch about the security issue in late November after reporting the vulnerability to Hama Film, a photo booth maker with franchises in Australia, the United Arab Emirates, and the United States, in October, but received no response.
Zeacer shared with TechCrunch a sample photo taken from Hama Film's servers that shows a group of apparently young people posing in a photo booth. In addition to printing photos like a typical photo booth, Hama Film's booth also allows customers to upload their photos to the company's servers.
Vibecast, which owns Hama Film, has not yet responded to his message alerting the company to the problem. Vibecast also did not respond to multiple requests for comment from TechCrunch, and Vibecast co-founder Joel Park did not respond to messages sent via Linkedin.
The researcher said as of Friday, the company still had not fully resolved the security flaws and continued to leak customer data. For this reason, TechCrunch is refraining from disclosing specific details of this vulnerability.
When Zeacer first discovered the flaw, he noted that photos seemed to be deleted from the photo booth maker's servers every two to three weeks.
Currently, it appears that photos stored on the server are deleted after 24 hours, which limits the number of photos available at one time, he said. However, hackers can still exploit vulnerabilities discovered every day to download any photo or video content on your server.
tech crunch event
San Francisco | October 13-15, 2026
Mr Giesser said he had seen more than 1000 photos online of Hama Film's booth in Melbourne before this week.
This incident is the latest example of a company failing, at least at one time, to implement certain basic and widely accepted security practices, such as rate limiting. Last month, TechCrunch reported that government contractor giant Tyler Technologies is not rate limiting its website, which is used to allow courts to control jurors' personal information. This means anyone can hack into a juror's profile by running a computer script that can guess a juror's date of birth and a bunch of easy-to-guess numerical identifiers.