IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Pixlr data breach exposes over 1.9 million user records

Bad actors could use the breached data in targeted phishing and credential-stuffing attacks

Pixlr website on a computer screen

For-profit hacker ShinyHunters has leaked 1.9 million Pixlr user records, including information bad actors could use to carry out targeted phishing and credential-stuffing attacks. Pixlr is a free online photo-editing application.

Experts believe the alleged Pixlr database that ShinyHunters posted may include 1,921,141 user records. Within these records are email addresses, login names, SHA-512 hashed passwords, a user's country, whether they signed up for the newsletter, and other sensitive information.

According to a Bleeping Computer report, ShinyHunters shared the database on the dark web. The hacker claimed they stole the database during their November breach of 123rf, which shares the same parent company as Pixlr. 

In the 123rf breach, hackers stole over 8.3 million user data records. These records contained email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails, and IP addresses.

ShinyHunters has also been responsible for data breaches at Minted, Chatbooks, Wattpad, and others.

Stephen Kapp, CTO and founder at Cortex Insight, told IT Pro that the Pixlr breach shows how cyber criminals are actively targeting organizations to monetize data.

“To help limit the damage, Pixlr should look to improve its internal processes by holding user information within application databases or dedicated SSO systems, such as those offered by AWS. This would allow for dedicated password hashing that includes a Salt Work Factor to help mitigate against brute force attacks,” Kapp said.

Boris Cipot, senior security engineer at Synopsys, told IT Pro that in the wake of this breach, users should change their password on Pixlr. They should also change the password on other sites where they may have reused their Pixlr password, as hackers can sometimes revert hashed passwords. 

“Users should also be prepared for possible phishing attacks. They should not blindly click on links sent via email. These links may lead you to a malicious site where you will be encouraged to 'change' your password. The same goes for documents - do not download anything without first verifying the authenticity of the sender. Cybercriminals will try to abuse every piece of information they have on you for their own personal gain; therefore, think twice before actioning any emails," Cipot said.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Protecting healthcare from cybercrime
Whitepaper

Protecting healthcare from cybercrime

25 May 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The Total Economic Impact™ of Mimecast
Whitepaper

The Total Economic Impact™ of Mimecast

25 Apr 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022