Pixlr data breach exposes over 1.9 million user records

Bad actors could use the breached data in targeted phishing and credential-stuffing attacks

Pixlr website on a computer screen

For-profit hacker ShinyHunters has leaked 1.9 million Pixlr user records, including information bad actors could use to carry out targeted phishing and credential-stuffing attacks. Pixlr is a free online photo-editing application.

Experts believe the alleged Pixlr database that ShinyHunters posted may include 1,921,141 user records. Within these records are email addresses, login names, SHA-512 hashed passwords, a user's country, whether they signed up for the newsletter, and other sensitive information.

According to a Bleeping Computer report, ShinyHunters shared the database on the dark web. The hacker claimed they stole the database during their November breach of 123rf, which shares the same parent company as Pixlr. 

In the 123rf breach, hackers stole over 8.3 million user data records. These records contained email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails, and IP addresses.

ShinyHunters has also been responsible for data breaches at Minted, Chatbooks, Wattpad, and others.

Stephen Kapp, CTO and founder at Cortex Insight, told IT Pro that the Pixlr breach shows how cyber criminals are actively targeting organizations to monetize data.

“To help limit the damage, Pixlr should look to improve its internal processes by holding user information within application databases or dedicated SSO systems, such as those offered by AWS. This would allow for dedicated password hashing that includes a Salt Work Factor to help mitigate against brute force attacks,” Kapp said.

Boris Cipot, senior security engineer at Synopsys, told IT Pro that in the wake of this breach, users should change their password on Pixlr. They should also change the password on other sites where they may have reused their Pixlr password, as hackers can sometimes revert hashed passwords. 

“Users should also be prepared for possible phishing attacks. They should not blindly click on links sent via email. These links may lead you to a malicious site where you will be encouraged to 'change' your password. The same goes for documents - do not download anything without first verifying the authenticity of the sender. Cybercriminals will try to abuse every piece of information they have on you for their own personal gain; therefore, think twice before actioning any emails," Cipot said.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
Justice Department unveils civil cyber fraud initiative to battle online crime
cyber attacks

Justice Department unveils civil cyber fraud initiative to battle online crime

7 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021