Cyber Incident Victim: Curator Live

A security researcher attended a wedding where the DJ company had deployed a Curator Live photo booth. The booth was configured to capture four photos per session and then prompted participants to enter a phone number to receive digital copies. After providing his number, the researcher received a text message containing a link to Curator Live’s API. By following that link he discovered that the API exposed a directory of images and associated metadata that was accessible without authentication. He verified that the exposed collection included photos from weddings, engagement parties, and a NASA‑branded event, and that some images were linked to the phone numbers submitted by users.

The researcher estimated that at least 100 GB of photographic data was openly available. The exposed set contained images of people drinking, cheering, and, in some cases, children, as well as photos that could be tied to specific phone numbers. He noted that the aggregation of visual content with personal contact information removed any reasonable expectation of privacy for booth users. The researcher reported that the data remained accessible at the time of his inquiry and that anyone with the link could browse the collection.

In November the researcher emailed Curator Live to disclose the vulnerability and request remediation, but he received no reply. He subsequently shared the details of his findings with 404 Media, which chose not to publish the technical specifics of the exposure while confirming that the data was still being leaked. Curator Live did not respond to 404 Media’s request for comment, and the company’s public website continued to describe its services as providing enterprise photo and video capture solutions for various events. No public statement or corrective action from Curator Live has been documented in the available sources.