Pixlr data breach exposes over 1.9 million user records

Bad actors could use the breached data in targeted phishing and credential-stuffing attacks

Pixlr website on a computer screen

For-profit hacker ShinyHunters has leaked 1.9 million Pixlr user records, including information bad actors could use to carry out targeted phishing and credential-stuffing attacks. Pixlr is a free online photo-editing application.

Experts believe the alleged Pixlr database that ShinyHunters posted may include 1,921,141 user records. Within these records are email addresses, login names, SHA-512 hashed passwords, a user's country, whether they signed up for the newsletter, and other sensitive information.

According to a Bleeping Computer report, ShinyHunters shared the database on the dark web. The hacker claimed they stole the database during their November breach of 123rf, which shares the same parent company as Pixlr. 

In the 123rf breach, hackers stole over 8.3 million user data records. These records contained email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails, and IP addresses.

ShinyHunters has also been responsible for data breaches at Minted, Chatbooks, Wattpad, and others.

Stephen Kapp, CTO and founder at Cortex Insight, told IT Pro that the Pixlr breach shows how cyber criminals are actively targeting organizations to monetize data.

“To help limit the damage, Pixlr should look to improve its internal processes by holding user information within application databases or dedicated SSO systems, such as those offered by AWS. This would allow for dedicated password hashing that includes a Salt Work Factor to help mitigate against brute force attacks,” Kapp said.

Boris Cipot, senior security engineer at Synopsys, told IT Pro that in the wake of this breach, users should change their password on Pixlr. They should also change the password on other sites where they may have reused their Pixlr password, as hackers can sometimes revert hashed passwords. 

“Users should also be prepared for possible phishing attacks. They should not blindly click on links sent via email. These links may lead you to a malicious site where you will be encouraged to 'change' your password. The same goes for documents - do not download anything without first verifying the authenticity of the sender. Cybercriminals will try to abuse every piece of information they have on you for their own personal gain; therefore, think twice before actioning any emails," Cipot said.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
Peloton security bug could expose user data
data protection

Peloton security bug could expose user data

6 May 2021
Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021