Photography website 500px has become the latest online brand to admit suffering a serious data breach.
In an advisory, the company said it became aware of the breach last week. It estimates that the breach took place around 5 July last year.
This affected the majority of the site’s nearly 15 million users, who should shortly receive an email asking them to change their passwords as soon as possible.
Data stolen included names, usernames, email addresses, birth date (if provided), city, state, country, and gender. Also at risk:
A hash of your password, which was hashed using a one-way cryptographic algorithm.
The company hasn’t said which hashing algorithms were in use beyond mentioning that any using the obsolete MD5 function were being reset.
The fact it was using MD5 at all is not terribly reassuring for reasons Naked Security has previously discussed at some length.
A sliver of good news:
At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.
Who is affected?
Everyone who had an account with 500px on or before 5 July 2018 may be affected by the breach. Users who joined after that will also have to change their passwords (which initiates automatically the next time a user tries to log in) although they will receive notification to do this later than the bulk of affected account holders.
Anyone who reset their account password after 8am UTC (3am Eastern) on 12 February doesn’t have to reset it a second time.
If the same or very similar account password was used on any other sites, now would be a good time change those too.
Why is 500px telling its users now?
Because earlier this week The Register got wind of a huge database of 617 million users circulating on the dark web, 14,870,304 of which appeared to be 500px’s.
The 500px said it learned of the breach on 8 February, which presumably was the day it was told that its data was part of this trove.
Several companies whose data was also part of the cache were already known to have been breached, while some others are new and unreported.
Most of the sites had their user data breached in the last year, which underlines how often and easily cybercriminals are still finding their way past organisations’ defences despite the known risks.
Prevention is better than resets
Our advice is to check the list of sites mentioned in that story and, if you have an account, reset the password without delay.
Next, turn on multi-factor authentication in whatever form it’s offered. For 500px it’s SMS-based or app-based 2FA.
Bryan
Hrmph. If they just learned now of the breach, how do they know it happened in July? Merely because the account registered on July 6 isn’t part of the leaked info?
Smells like someone was caught with their lens cap down.
Paul Ducklin
I don’t think you need to have any conspiracy theories about the claimed cut-off date.
It’s easy to assume that if they failed to notice the breach at all until they were told last week, how can they now be so sure when it happened? But it is also reasonable to assume that *now they know roughly what to look for*, and have a legal and moral imperative to go looking, they’re likely to be able to figure out when it happened, if not precisely how the crooks got in or exactly how much they made off with altogether.
TBH, I don’t think their response is that bad – as breach reports go, anyway. They’re pretty much saying that after 2019-07-05 you are probably OK but before you almost definitely aren’t.
Hindsight, as they say, gives you 6/6 vision – but 6/6 vision doesn’t mean you can see *everything*, just that you can see a satisfactory amount, rather than what you were seeing before, which was nothing…
Bryan
Fair enough; I’ll defer to your (always well-reasoned) judgment.
Though I didn’t envision so much conspiracy as just a delayed response and/or scrambling to save face. Your explanation makes sense. And whether one’s hindsight is 6/6 or 20/20 it’s still easier to cast aspersions from it.
I stand erected. …thanks Duck. TGIF