For-profit hacker ShinyHunters has leaked 1.9 million Pixlr user records, including information bad actors could use to carry out targeted phishing and credential-stuffing attacks. Pixlr is a free online photo-editing application.
Experts believe the alleged Pixlr database that ShinyHunters posted may include 1,921,141 user records. Within these records are email addresses, login names, SHA-512 hashed passwords, a user's country, whether they signed up for the newsletter, and other sensitive information.
According to a Bleeping Computer report, ShinyHunters shared the database on the dark web. The hacker claimed they stole the database during their November breach of 123rf, which shares the same parent company as Pixlr.
In the 123rf breach, hackers stole over 8.3 million user data records. These records contained email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails, and IP addresses.
ShinyHunters has also been responsible for data breaches at Minted, Chatbooks, Wattpad, and others.
Stephen Kapp, CTO and founder at Cortex Insight, told IT Pro that the Pixlr breach shows how cyber criminals are actively targeting organizations to monetize data.
“To help limit the damage, Pixlr should look to improve its internal processes by holding user information within application databases or dedicated SSO systems, such as those offered by AWS. This would allow for dedicated password hashing that includes a Salt Work Factor to help mitigate against brute force attacks,” Kapp said.
Boris Cipot, senior security engineer at Synopsys, told IT Pro that in the wake of this breach, users should change their password on Pixlr. They should also change the password on other sites where they may have reused their Pixlr password, as hackers can sometimes revert hashed passwords.
“Users should also be prepared for possible phishing attacks. They should not blindly click on links sent via email. These links may lead you to a malicious site where you will be encouraged to 'change' your password. The same goes for documents - do not download anything without first verifying the authenticity of the sender. Cybercriminals will try to abuse every piece of information they have on you for their own personal gain; therefore, think twice before actioning any emails," Cipot said.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
