In early 2026, security researchers identified a set of misconfigured Firebase databases belonging to several photo identification apps — tools that let you point your camera at a plant, insect, or animal and get an identification. Combined, these apps had millions of downloads. The exposed databases contained tens of thousands of user accounts, including email addresses, usernames, scrambled passwords, IP addresses, support tickets, and — notably — GPS coordinates attached to photos.
No payment data or government IDs were involved in this particular breach. But the GPS exposure is worth sitting with, because it’s a near-perfect example of a risk that exists quietly on almost everyone’s phone, in apps that have nothing to do with the photo’s actual content.
How a Misconfigured Database Becomes a Privacy Breach
The technical cause here is mundane: a cloud database (Firebase, in this case) configured without proper authentication, leaving it readable by anyone who found the address. This is a common — and avoidable — mistake, and it happens disproportionately in smaller apps that prioritize shipping features over security review.
What makes it relevant beyond “another breach happened” is what these apps were storing in the first place. A plant identification app’s core function doesn’t require knowing where you were standing when you took the photo. But if the app reads photo metadata — which most apps do by default when they request photo library access — that location data gets captured, stored, and in this case, exposed.
The lesson isn’t really about Firebase. It’s that any app with photo library access can see more than its function requires, and that data sits in that app’s infrastructure with whatever security practices that app’s developers happened to implement.
What Photo Metadata Reveals When It Leaks
A photo’s EXIF metadata can include GPS coordinates accurate to within a few meters, the exact timestamp the photo was taken, and details about the device used. On its own, one photo’s metadata might seem harmless. In aggregate, across hundreds of photos over months or years, it’s a detailed log of where you were and when.
When that data is exposed in a breach, it’s not abstract. Combined with an email address — which was also in this breach — it becomes a map of someone’s home address (wherever most photos cluster overnight), workplace, and routine movements, attached to an identifiable person.
This is the same metadata covered by EXIF data in general — the difference here is that it didn’t require anyone to dig through your camera roll. It was sitting in a database that anyone could query.
The Permission Audit: 15 Minutes, Worth Doing Quarterly
Most phones make it straightforward to see which apps have access to your photo library, and most people have never looked. Here’s how, on both platforms:
On iPhone:
- Go to Settings → Privacy & Security → Photos
- You’ll see every app with any level of photo access, grouped by permission level: “All Photos,” “Selected Photos,” or “None”
- For any app set to “All Photos” that doesn’t need full library access — review whether it actually does
On Android:
- Go to Settings → Privacy → Permission manager → Photos and videos (exact path varies by manufacturer)
- Review the list of apps with access
- Tap any app to change its permission level
For each app on the list, ask: does this app’s core function require seeing my whole photo library? A photo identification app needs access to the specific photo you’re identifying — not your entire archive. A messaging app needs access to photos you choose to send — not automatic background access to everything.
Use “Selected Photos” Access Wherever It’s Offered
Both iOS and Android now support a middle ground: instead of granting an app access to your entire photo library or nothing, you can grant access to a specific selection of photos. The app sees only what you’ve explicitly chosen, and has to ask again if it wants more.
This is the right default for almost any app that doesn’t fundamentally revolve around your photo library — identification apps, social apps, editing tools, anything where “let me pick the photo I want to use” is a natural part of the workflow anyway.
Reserve “All Photos” access for apps where it’s actually core to the function: your phone’s backup service, and a dedicated photo storage or organization app you’ve deliberately chosen.
Why This Matters More for “Utility” Apps Than You’d Think
There’s a natural instinct to be more careful with apps that feel sensitive — banking apps, dating apps, anything tied to your identity. Apps that identify plants or calculate tips feel low-stakes by comparison.
But that instinct is backwards from a security perspective. High-profile apps from large companies tend to have dedicated security teams, bug bounty programs, and regulatory scrutiny. A utility app built by a small team, monetized through ads, with millions of downloads and “All Photos” access by default, is often the weaker link — not because the app is malicious, but because security wasn’t the priority during development.
The 2026 breach is a useful reminder that the relevant question isn’t “do I trust this company” — it’s “what does this company’s infrastructure expose if it’s misconfigured, and what data have I given it access to that it doesn’t strictly need?”
What to Do If You Think You Were Affected
If you’ve used a photo identification app, a niche utility app, or any app that had a publicized breach, a few steps reduce the practical impact:
Change your password for that account — and anywhere you reused it. Scrambled or hashed passwords from a breach can sometimes still be cracked, especially if the password was short or common. If you’ve used the same password elsewhere, that’s the first thing to fix.
Check whether your email appears in known breach databases. Services that track breach exposure let you check whether a specific email address has appeared in known incidents, which can confirm whether a particular breach affects you specifically.
Review what the app could have collected, not just what was confirmed leaked. Breach disclosures often describe what was found in the exposed database, but an app’s actual data collection — per its privacy policy — may be broader than what happened to be exposed in this particular incident. If the app had location access, assume location history existed somewhere, breach or not.
Revoke access for apps you no longer use. Old apps with lingering permissions are a common source of exposure long after you’ve stopped actively using them. The permission audit above is also a good moment to uninstall anything you no longer need.
Reducing Your Exposure Going Forward
A few habits make a meaningful difference over time:
- Audit photo permissions quarterly. Apps accumulate; permissions granted years ago for features you no longer use often remain active.
- Default to “Selected Photos” or “Ask Every Time.” Most apps work fine with this; the ones that genuinely need broader access will prompt you.
- Be skeptical of apps that request photo access for unrelated features. A flashlight app or a calculator that requests photo library access is a signal worth noticing.
- Periodically check what apps you’ve granted access to actually do with that access — many apps have a privacy policy section specifically about photo library use, and it’s often more revealing than you’d expect.
Signals to Check Before Granting Access in the First Place
The permission audit above deals with apps already on your phone. For new apps, a few minutes of checking before granting photo access can prevent the same exposure later:
- Read the permission request in context. If an app asks for full photo library access during onboarding — before you’ve even used the core feature — that’s worth questioning. Apps that request permissions only when a feature actually needs them are generally better designed around minimal access.
- Check the developer. A single developer or small studio with millions of downloads and a free, ad-supported model is a different risk profile than an established company with a dedicated security and privacy team. Neither guarantees good practices, but it’s a signal worth weighing.
- Look for a privacy policy that’s specific. A privacy policy that explains exactly what’s collected, how long it’s retained, and whether it’s shared with third parties is a better sign than a generic template that could apply to any app.
None of this is foolproof — well-resourced companies have misconfigured databases too. But for the long tail of small utility apps, where this kind of breach is most common, a little diligence before installing goes further than diligence after the fact.
Where the Photos You Care About Should Live
The apps you grant broad photo access to are, by definition, apps whose security practices become part of your own. A breach in any one of them becomes a breach of whatever they could see.
For the photos, documents, and voice notes that matter most, a dedicated private storage app — one whose entire purpose is secure storage, rather than a side feature bolted onto an unrelated tool — is a meaningfully different risk profile. daftei stores files with AES-256 encryption at rest and TLS 1.3 in transit, is GDPR and CCPA compliant, never sells data, and never uses your content to train third-party AI models. It’s available on iOS, Android, and the web, with 5GB free and unlimited storage on Pro.
Reducing the number of apps with broad access to your photo library — and being deliberate about where the photos that matter most actually live — is one of the few security practices that’s both genuinely effective and entirely within your control.