A portable photo printer, Lifeprint, meant to share memories just spilled millions of private photos onto the open internet. The company has not addressed the issue.
Cybernews researchers have revealed a data leak affecting Lifeprint portable printer users. The brand makes instant photo printers for iPhone and Android, letting users print photos, and GIFs directly from their phones. It belongs to C+A Global, a New Jersey-registered company founded in 2003.The app tied to the leak is used by all Lifeprint printer users to print photos and share snapshots or clips directly to someone else’s printer. The app has over 100,000 downloads on Google Play.
The leak was caused by a misconfigured bucket that lacked authentication. Any internet user could have accessed over 8 million files, including 2 million unique photos, exported user data in JSON and CSV formats, and lists of usernames, email addresses, and printing stats for more than 100,000 users.
According to the stored metadata, these users printed 1.6 million photos together.
Risk of printer takeover
The research team also found that the public cloud bucket contained multiple versions of the printer’s firmware. Buried inside the files was a private encryption key, left in plain text, which appeared to be used to sign the firmware.
Exposing the key in this way effectively nullifies the security measure altogether. If printers are configured to look for new files on the bucket to initialize updates, exploiting the key could potentially allow attackers to craft and sign malicious firmware.
Then they could upload it to the bucket, and potentially trigger automatic updates on user devices. If this theoretical scenario is plausible, it would enable attackers to hijack the printers and make them run custom code, or even conscript them into botnets.
Why does the leak matter?
Lifeprint users face multiple risks, such as identity exposure through leaked personal information. Leaked photos can often be intimate, exposing the user's private life to anyone on the internet. Also, the leaked personal information could be used in identity theft, harassment, and doxxing attacks.
“This is a textbook example of what not to do with IoT infrastructure,” a Cybernews researcher said.
“This leak shows multiple deviations from best practices, such as not properly segregating user data, publishing cryptographic keys together with the firmware, not employing proper access controls to ensure that only the intended users would be able to access their files and data,” they added.
Also, affected users are in theoretical danger of malicious firmware taking over their devices. Cybernews contacted the company, but no response was received.
Disclosure timeline
Leak discovered: July 28th, 2025
Initial disclosure: July 29th, 2025
CERT contacted: August 6th, 2025
Unlock exclusive Cybernews content on YouTube:
Your email address will not be published. Required fields are markedmarked