The real problem arises because files are named sequentially at Smugmug which means that anyone with just a little bit of technical knowledge will be able to download all images from all galleries set to public and private. The only galleries that are not accessible are the password protected ones obviously.

The urls for the galleries can be accessed by opening a url starting with http://www.smugmug.com/gallery/*, for example http://www.smugmug.com/gallery/1000, http://www.smugmug.com/gallery/1001 in your browser. Pictures can be accessed directly by loading http://www.smugmug.com/photos/*-M.jpg in your browser where * is a number between 1 and x. So, everyone can access pictures like http://www.smugmug.com/photos/1000-M.jpg, http://www.smugmug.com/photos/10001-M.jpg and so on.

Google Blogoscope who discovered this loophole contacted Smugmug and received a reply that was not that satisfactory. According to CEO Don MacAskill this is the intended way it should work:

First of all, we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).

At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.