A forgotten, publicly exposed database has leaked over 300,000 user records belonging to Francis Frith, the UK's historic photography archive.
Founded in 1860, Francis Frith is renowned for its vast collection of old photographs documenting towns and villages across Great Britain. The company, managed by Heritage Resource Management Ltd., sells prints and photo products sourced from this archive.
The Data Exposure
Cyber Security researchers discovered an unsecured Elasticsearch instance leaking user information and private messages. The database lacked any authentication and was freely accessible to anyone on the internet.
The breach exposed user data that included:
- Full names
- Email addresses
- Physical addresses for some users (embedded in private messages)
The exposed records spanned nearly two decades, with some data dating back as far as 2006. The database contained close to 44,000 customer inquiry messages.
Risk of Phishing and Impersonation
Although the leaked information did not include financial or password data, it poses a significant privacy risk. Attackers could use the harvested names and email addresses to impersonate the Francis Frith brand. For example, they might craft targeted phishing and spam campaigns about fake photo mug or book orders. These fraudulent emails could lead victims to malicious websites designed to steal credentials, credit card details, or install keystroke tracking malware. The danger is particularly high for customers who included home addresses or other identifiable details in their exposed messages.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
