Widely used photo-sharing service 500px has now reported that potentially all of the company’s approximately 14.8 million users may have had personal data exposed in a cybersecurity breach that occurred back in July of 2018. The breach includes a wealth of personal user data and was discovered on February 8, after the companies engineering team was alerted to potential security issues. A full review of the underlying systems led to the discovery of at least one breach.
Data that was potentially taken by the perpetrators via unauthorized access starts with the first and last name of users, as that information was entered on the site and their 500px. Usernames and the email address associated with a given account was accessed as well as the date of birth, location information, and any gender users had entered for the site or application.
Hashed passwords, protected using one-way encryption, were taken too.
Protect your account, or what’s left of it
The security breach, according to 500px appears to have been a one-time affair, with no indication that more than one malicious act occurred. So the breach does not appear to directly affect every user. Those who have signed in using an external account, such as Google or Facebook, don’t need to be concerned either since single-use session tokens are utilized for account access at every login.
The company also says there’s no indication that any accounts themselves were breached.
Users who sign up for either the web or mobile application version of 500px prior to July 5 of last year are undoubtedly affected, however. The company is now in the process of reaching out to users via an email to reset passwords. Those who haven’t received the password reset email should immediately reset and change their login credentials.
Password resetting should extend to any other website where the same or a similar combination of email, password, name, and other personal data may have been used too, 500px notes. Malicious entities could conceivably use the information stolen from 500px to attack users via other accounts.
500px’s own response to the breach is, as mentioned above, to force reset all ‘MD5-encrypted’ passwords and perform a system-wide password reset. The company is additionally vetting access to servers, databases, and sensitive data storage services as well as monitoring both user-facing and internal source code. The software development process and development on the 500px network infrastructure are undergoing changes too, in hopes of preventing future issues.
Law enforcement has also been notified and 500px is working with those officials as well as leading cybersecurity experts across all internal systems, mobile apps, web pages, and internal security protocol.
Topping off a year of breaches
2018 was notoriously bad in terms of cybersecurity breaches and personal data leaks not only for 500px but for a number of similarly popular services. Setting aside the breach that came to light surrounding Google’s relatively low-ranking social networking site, Facebook faced a veritable wave of breaches in rapid succession. While that company appears mostly apathetic about users’ privacy, at very least 500px seems to be taking things seriously. Regardless, it is hardly surprising that 500px was impacted in the past 12 months given the high rate of security lapses.