A photo booth company has left customer images publicly accessible thanks to a security flaw so basic it's almost unbelievable: no rate-limiting on its backend systems. Security researcher Zeacer discovered the vulnerability in October, reported it to Hama Film, and heard nothing back. As of this week, the company still hasn't fully resolved the issue. This isn't an isolated failure—it's the latest evidence that companies handling customer data routinely skip security fundamentals, leaving millions exposed to trivial exploitation methods.

Hama Film makes photo booths that do one job well: print physical photos while uploading digital copies to the cloud. They do it in Australia, the UAE, and across the United States through franchise partners. But somewhere between the booth and the server, the company forgot about security.

Security researcher Zeacer found the problem in October. He alerted Hama Film and its parent company Vibecast to a straightforward vulnerability: the backend storing customer photos had no rate-limiting. No friction. No automation detection. Just direct, unlimited access to every image on the server. He could download thousands of pictures in minutes using a basic script.

He reported this in October. No response. He followed up in late November. Still nothing. On Friday, as TechCrunch published his findings, Hama Film had implemented only a partial fix: deleting photos after 24 hours instead of two to three weeks. But the underlying vulnerability remains. A hacker could still exploit it daily, downloading that entire 24-hour window of customer photos before deletion.

What makes this infuriating isn't the existence of the vulnerability—bugs happen. It's that rate-limiting isn't a cutting-edge security practice. It's a baseline. It's the kind of protection that's been standard practice for over a decade. Banks use it. Social platforms use it. Every major cloud service implements it. Yet here's a company in 2025, operating in multiple countries with photo booth franchises, handling thousands of customer images, and skipping it entirely.

The researcher shared samples of the exposed photos with TechCrunch. Groups of clearly young people posing in photo booths. Personal moments meant to be memories, instead broadcast to anyone with internet access and five minutes of technical knowledge.

This pattern should sound familiar. Last month, TechCrunch reported that Tyler Technologies—a government contractor managing court and jury systems across multiple U.S. states—had the same problem. No rate-limiting on systems handling jurors' personal information. Which meant attackers could mass-guess passwords using simple date-of-birth combinations and sequential ID numbers. A government security system failed at the same basic defense that Hama Film is only now partially implementing.

Vibecast, the parent company, hasn't responded to TechCrunch's requests for comment. CEO Joel Park hasn't replied via LinkedIn. The message seems to be: acknowledge nothing, implement minimally, hope it blows over.

But here's what matters for different audiences: For builders constructing IoT systems or cloud services that touch customer data, this should trigger an immediate audit. Rate-limiting isn't optional infrastructure—it's the difference between a service and a liability. For decision-makers evaluating vendors, this is the test: ask specifically about rate-limiting implementation. Not "Do you have security?" Ask about this one thing. If they haven't built it in, they're shipping 2010-era infrastructure in 2025. For investors evaluating IoT or photo service startups, regulatory liability is now crystallizing. Exposed customer photos create GDPR, CCPA, and state privacy law exposure. That's not a technical issue anymore—it's a financial one.

The timing here matters too. This vulnerability existed for months before disclosure. At one point, more than 1,000 photos from Hama Film booths in Melbourne alone sat on unprotected servers. How many franchise operators are currently running their own photo booths with the same vulnerability still live? The company has global presence—how many customers in how many countries don't yet know their images were exposed?

Zeacer did everything right. He found the flaw responsibly. He reported it through proper channels. He waited. He followed up. And the company responded with silence. This is the gap between security research and reality: finding a vulnerability is table stakes. Getting companies to fix it remains the hard problem.

This is a cybersecurity incident, not an industry inflection point. But what it demonstrates is critical: companies still skip baseline security practices even when handling intimate customer data. For builders, the lesson is clear—rate-limiting is non-negotiable infrastructure. For enterprises evaluating vendors, this should prompt immediate audits of specific security implementation, not just security policies. For investors, the liability cascade is becoming material: exposed customer photos trigger regulatory exposure that converts to real financial risk. Watch how regulators in Australia, UAE, and U.S. franchises respond—this will set precedent for vendor accountability. The next threshold: whether franchisees face secondary liability for parent company negligence.