500px’s Data Breach, Happening Since July 2018
500px, the popular photography app has forced all its users to reset their user passwords in a deliberate attempt to secure the remaining areas of their database. The leak included a portion of their users, which released to the unknown 3rd parties. “On February 8, 2019, our engineering team became aware of a potential security issue affecting certain user profile data. We immediately launched a comprehensive review of our systems to understand the nature and scope of the issue. We engaged a third-party expert to assist us in our investigation and are coordinating with law enforcement authorities on this matter,” explained a 500px representative in their official blog post.
According to 500px, they have discovered that the ‘partial data breach’ due to an unauthorized access dated July 5, 2018 based-on their logs. Users should receive an email providing specific information on how to reset the password for their 500px account. As directly quoted from 500px’s press release, the following information were stolen:
- User’s first and last name as entered on 500px
- User’s 500px username
- The email address associated with user’s 500px login
- A hash of user’s password, which was hashed using a one-way cryptographic algorithm
- User’s birth date, if provided
- User’s city, state/province, country, if provided
- User’s gender, if provided
“Regardless of whether or not you were directly affected, given the nature of the personal data involved, we are alerting you to this matter so you can take steps to help protect yourself against the risk of phishing, spam, and other misuse of your information as a result of this issue,” said 500px.
Users are advised to be very alert, change their 500px passwords as well as other passwords, assuming some users have used the same passwords across many websites. 500px has guaranteed that they have checked their servers and other subsystems including their storage devices so as not to repeat the incident.
“Going forward, we will continue to enhance our security measures to help keep your data safe and we are implementing additional measures to help prevent this type of incident from reoccurring. We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security,” added 500px.
500px has emphasized that deleting the account through normal means does not mean that the user will resolve the issue. Though if at the discretion of the user they can choose to delete their account and download a copy of their data. Extraction of user data can be completed 72 hours after the receipt of the request.
Julia Sowells884 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.