- Lifeprint app leak exposed 2 million private photos and user information
- Misconfigured storage also revealed firmware keys creating risk of malicious printer hijacks
- Users face threats of blackmail, identity theft and harassment from exposed data
A major privacy incident has exposed millions of private photos from Lifeprint, a portable photo printer system.
The leak, uncovered by researchers at Cybernews, revealed over 8 million files, including 2 million unique photos, that were accessible without authentication.
Lifeprint is produced by C+A Global, a New Jersey company founded in 2003, allowing users to send images and GIFs directly from a smartphone to a connected device, or even to a friend’s printer through an app for iOS and Android, and the Android version of the app has been downloaded more than 100,000 times on Google Play.
More than 1.6 million photos printed
According to the researchers, the leak was caused by a misconfigured storage bucket that left sensitive files exposed to anyone online.
The exposed data included usernames, email addresses and print statistics for over 100,000 users.
Metadata indicated that the community has printed more than 1.6 million photos.
The security issues went far beyond leaked images unfortunately, as multiple versions of Lifeprint’s firmware were also left in the same public bucket and buried in those files was a private encryption key in plain text, used to sign firmware updates.
With this key, attackers could potentially create malicious firmware and distribute it as a legitimate update.
That scenario, if it came to pass, could allow hackers to hijack printers, run their own code, or even fold the devices into botnets.
“This is a textbook example of what not to do with IoT infrastructure,” a Cybernews researcher said.
“This leak shows multiple deviations from best practices, such as not properly segregating user data, publishing cryptographic keys together with the firmware, not employing proper access controls to ensure that only the intended users would be able to access their files and data.”
For Lifeprint users, the consequences could be devastating, as personal details combined with photos create risks of identity theft, harassment and doxxing.
Intimate images could be particularly damaging, with the risk of blackmail and extortion, or long-lasting public embarrassment if they were to appear online.
Cybernews reached out to Lifeprint’s parent company about the findings, but says it has yet to receive a reply. The leak was first detected in late July 2025, and as of now, no official statement has been issued.
