Photobucket faced security flaws within its users private image folders.

Federal prosecutors indicted and prosecuted two men on Friday with conspiracy and fraud charges after allegedly breaching the computer systems of Denver-based company Photobucket. The two men have been named as Athanasios Andrianakis, 26, of Sunnyvale, California and Brandon Bourret, 39, of Colorado Springs, and were arrested on May 8^th.

The two developed and marketed an application that allowed users to bypass the privacy settings on Photobucket giving its users access to private information without their permission. The app named “Photofucket” allowed users to access password-protected content on the website without permission.

A few years ago Reddit channels discussed using a security flaw in Photobucket.com to access pictures in private folders. If anyone online knew or even guessed a private photo’s direct URL it was accessible to anyone, and quite often guessing the filename of a digital cameras photo isn’t too difficult.

According to the indictment (PDF), evidence which has been used against Bourret and Andrianakis includes emails they sent discussing exploits in the site, messages they sent to Photofucket buyers, and Paypal transfers which funded the operation.

The U.S. Attorney John Walsh for the District of Colorado said in the statement:

“It is not safe to hide behind your computer, breach corporate servers and line your own pockets by victimizing those who have a right to protected privacy on the Internet,”

Andrianakis and Bourret both face one count of conspiracy, which carries a penalty of up to five years in prison and fines up to $250,000. In addition each of the men face a count of computer fraud, which carries the same maximum penalty, and also two counts of access device fraud, this carries a fine of up to $250,000 and up to10 years in federal prison per count.

With rising online fraud it appears that the district attorney wishes to make an example of the men with them facing a potentially large sentence.