Pixlr data breach exposes over 1.9 million user records

Bad actors could use the breached data in targeted phishing and credential-stuffing attacks

Pixlr website on a computer screen

For-profit hacker ShinyHunters has leaked 1.9 million Pixlr user records, including information bad actors could use to carry out targeted phishing and credential-stuffing attacks. Pixlr is a free online photo-editing application.

Experts believe the alleged Pixlr database that ShinyHunters posted may include 1,921,141 user records. Within these records are email addresses, login names, SHA-512 hashed passwords, a user's country, whether they signed up for the newsletter, and other sensitive information.

According to a Bleeping Computer report, ShinyHunters shared the database on the dark web. The hacker claimed they stole the database during their November breach of 123rf, which shares the same parent company as Pixlr. 

In the 123rf breach, hackers stole over 8.3 million user data records. These records contained email addresses, MD5 hashed passwords, company names, phone numbers, addresses, PayPal emails, and IP addresses.

ShinyHunters has also been responsible for data breaches at Minted, Chatbooks, Wattpad, and others.

Stephen Kapp, CTO and founder at Cortex Insight, told IT Pro that the Pixlr breach shows how cyber criminals are actively targeting organizations to monetize data.

“To help limit the damage, Pixlr should look to improve its internal processes by holding user information within application databases or dedicated SSO systems, such as those offered by AWS. This would allow for dedicated password hashing that includes a Salt Work Factor to help mitigate against brute force attacks,” Kapp said.

Boris Cipot, senior security engineer at Synopsys, told IT Pro that in the wake of this breach, users should change their password on Pixlr. They should also change the password on other sites where they may have reused their Pixlr password, as hackers can sometimes revert hashed passwords. 

“Users should also be prepared for possible phishing attacks. They should not blindly click on links sent via email. These links may lead you to a malicious site where you will be encouraged to 'change' your password. The same goes for documents - do not download anything without first verifying the authenticity of the sender. Cybercriminals will try to abuse every piece of information they have on you for their own personal gain; therefore, think twice before actioning any emails," Cipot said.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021
Dark web ads offering access to corporate networks increase sevenfold
hacking

Dark web ads offering access to corporate networks increase sevenfold

28 Jul 2021
Number of hacking tools increasing as cyber criminals become more organized
hacking

Number of hacking tools increasing as cyber criminals become more organized

28 Jul 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021