92

500px suffered a data breach in July 2018 that exposed info of all 15M users

5oopx, the photo sharing service owned by Visual China Group (VCG), the world's third-largest visual content provider, has posted a security notice on its support site today, revealing that the platform suffered a security breach that exposed user data and profile information.

The breach was discovered by 500px engineers only a few days ago on February 8, but actually happened all the way back on July 5, 2018. The company says all users who signed up on or before that day are affected by the breach which exposed users' first and last names, usernames, email addresses, a hash of their passwords and dates of birth.

If at signing up users decided to provide gender and location information this data will be compromised as well. The good news is that 500px has found no signs of unauthorized entry into any of the affected user accounts. Payment information was not compromised either.

In its announcement 500px says it will upgrade its security measures and examine its source code in order to avoid similar issues in the future. The company is also asking all users to change passwords.

View Comments (92)

Comments

All (92)
Most popular (7)
Editors' picks (0)
DPR staff (0)
Oldest first
sirhawkeye64

Hmmm.. owned by a Chinese company, and then suffers a data breach. Not surprising. Guess I'm glad I never bought into 500px (only browsed, never signed up).

Feb 15, 2019*
Clint Dunn
Clint Dunn

Why would anyone ever pay to use 500PX?? I keep a few pics on the site but have never provided a Visa number. I actually think 500PX has some amazing quality of work, far superior to what you see in say Flickr 'Explore'.

Feb 14, 2019
NickyB66

What do you expect from a China owned company.

Feb 14, 2019
UncoyDP
UncoyDP

Adobe has allowed this kind of leak to take place two or three times with hundreds of millions of users and source code exposed. What you'd expect from an American owned company.

Feb 19, 2019
Copal Fit
Copal Fit

Another issue with 500px....glad I never signed up there after I heard about other issues regarding photo copying etc on this site a few years back.

Feb 14, 2019
jayfromeast

and?
people still use facebook and iphones..
identity theft became such a novial deal.
props to big companies that hasn't get breached yet

Feb 14, 2019
MichelBB

What us the problem? Most people say they have nothing to hide.

Feb 14, 2019
SilvanBromide

@MichelBB It has nothing to do with people having - or not having - anything to hide.

There is a risk that the data may be used for phishing attempts, identify theft and other scams. FYI.

Feb 14, 2019
McArchive

"There is a risk that the data may be used for phishing attempts, identify theft and other scams. FYI."

That's the basis of the internet and cell service these days, no? Now, off to the cookie store....

Feb 14, 2019
sirhawkeye64

It's more that people's personal information is at stake, not so much what they post (in this case, pictures, on 500px). I mean, Getting your hands on ones' pictures is one thing, but getting info that could make it easier to steal identity is the real concern. Someone probably isn't going to be able to go register credit cards in your name if they stole one of your pictures. You're personal info, however, may make it that much easier (although they're probably still missing some critical details they would need).

Feb 17, 2019*
BlueBomberTurbo

Ha, looks like I haven't touched my 500px account since 2010. No important info or any pics in there. Basically signed up, said meh, and never looked back.

Feb 14, 2019
vscd
vscd

We didn't miss you either.

Feb 14, 2019
BlueBomberTurbo

So much so that you had to personally comment. I feel loved. :)

Feb 14, 2019
vscd
vscd

You're so eloquent my deer. Sorry... my dear.

Feb 14, 2019
falconeyes
falconeyes

BREAKING NEWS
============================
500px is only one out of 16 known breaches. The list is as follows:

8fit (20 million)
500px (15 million)
Animoto (25 million)
Armor Games (11 million)
Artsy (1 million)
BookMate (8 million)
CoffeeMeetsBagel (6 million)
DataCamp (700,000)
Dubsmash (162 million)
EyeEm (22 million)
Fotolog (16 million)
HauteLook (28 million)
MyFitnessPal (151 million)
MyHeritage (92 million)
ShareThis (41 million)
Whitepages (18 million)

All account data is for sale in the dark net. Via: heise.de Source: https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/

Feb 13, 2019*
falconeyes
falconeyes

It is untrue that 500px acted on survey of log files. They acted after their data showed up for sale Feb 12.

Feb 13, 2019*
falconeyes
falconeyes

Details for 500px:

500px: 14,870,304 accounts for 0.217 BTC ($780) total
1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country.

They started a system-wide password reset starting with MD5-hashed passwords (weakest).

Feb 13, 2019*
5r82

Can't reset the password there as I don't receive 6 digit token. Anyone else having the same issue?

Feb 14, 2019
Wild Bill - Polo Protog
Wild Bill - Polo Protog

Now if only someone would offer to buy this data, and send the sellers a nice virus as payment.

Feb 15, 2019
(unknown member)

Way to go Chinese.

You can leak like the best of them.

Feb 13, 2019*
(unknown member)

?

Feb 14, 2019
CallumG
CallumG

Well at least the passwords are hashed. That's the least I can ask for. Glad I left them, whoever "they" are. I left because I realised the big players probably used bots in the early days to mass like and comment to get their following.

With these companies, it's not if your data is leaked, it's when and who gets it.

Feb 13, 2019*
Razakel

According to the announcement they used the MD5 algorithm. This algorithm is flawed and hasn't been recommended for password hashing for more than 10 years now. If you use the same password somewhere else you should absolutely consider changing it.

Feb 15, 2019*
sirhawkeye64

The key is to put as little information as possible onto such services if you have decided you need to or want to use them. For example, I'm surprised at the number of people that put full info on FB (job, phone number, address, location, etc) and further more, the people that post when they're going on vacation, etc. My FB profile has virtually no data other than my name and email (which the email is only visible to friends anyway) and nothing else. I don't put my birthdate in (or it's at least not shown) or any location, and job information. None of that. And the only time I'll ever post that I was gone on vacation, is when I get back.

Feb 17, 2019
McArchive

The sharing economy keeps on growing!

Feb 13, 2019
Sirandar
Sirandar

I usually apply the one in 1000 rule to these happenings. For every incident anyone is aware about, there are 1000 that go undetected.

Only the mildly incompetent breach and the target becomes aware. Ones that make the news usually do so as part of wider considerations. Many remember Ashley Madison, a fake escort service that really just practiced extortion. How long that business stayed open is a testament to human nature.

Being an IT manager you are usually in a position of responsibility without any authority. Pretty much guaranteed mayhem. We implement tighter and tighter infrastructure based controls and compliance structures ..... until 90% of a job is compliance and the infrastructure itself replaces human involvement in it.

Maybe this is a good thing as Google's self driving vehicles are probably better at it than the average driver perhaps even now, and as they develop further human drivers will probably be the most risky on the road.

Feb 13, 2019*
aimatyna
aimatyna

I left 500px one year ago or so because some their partners used my photos and didn't pay me at all. They practice dirty business.

Feb 13, 2019
McArchive

but did your data leave with you?

Feb 13, 2019
aimatyna
aimatyna

I left 500px in October,2017. I asked manager to delete my account and all my data.
Useless request. My data are still there.
You can see my last photo there: simply to type "amatyna" on the site 500px.com
I am indignant but is not surprised...

Feb 14, 2019
sirhawkeye64

I would just go on the assumption that your data will ALWAYS be there. For example, Google, even if you delete your Google account, you're data is still stored somewhere (in a server log, or something). Even if you actively delete an account, it's never really gone 100% for good.

Some privacy policies I think even state that they can/may keep some data for "statistical" or logging purposes (such as an IP address in a server log or something). Now, for most people, they don't have a static IP (although that doesn't mean you're completely safe from this, as some ISPs may keep logs as to who had what IP at what date/time), but for those who do, this can identify you and allow someone to backtrack to you through the ISP (not very likely, and it would require some work but it could be done).

Feb 17, 2019*
Wild Bill - Polo Protog
Wild Bill - Polo Protog

One of the reasons I NEVER used my real birthdate when creating accounts on such services (Facebook, 500px, E-mail accounts, etc.). FWIW: I have dropped all such accounts except E-mails and Disqus.

Feb 13, 2019
MySimplePhotosToday
MySimplePhotosToday

I wonder if this could be the reason nobody sends me Happy Birthday messages.

Feb 15, 2019
Wild Bill - Polo Protog
Wild Bill - Polo Protog

Get/got them from some of those services, but always on the wrong date.

Feb 15, 2019
WebmasterNeal

My password reset email takes me to a page stating the following:
"Please enter the 6-digit verification code on your authenticator:"

And I don't have a 6 digit code to enter...

Feb 13, 2019
Kurt Helge Roesand

Yep, same here. So, I'm completely locked out of my account. When I finally get to log in I will delete my account for sure.

Feb 13, 2019*
David 247
David 247

I got that too, but I think there was a link below that (not obvious) to have the code sent to you if you didn't receive one. I did get a code and since I hadn't been using it, deleted the last of my photos and closed the account.

Feb 14, 2019
dpreviewblog

Strange... but when 500px go's to China's my gallery began more popular... more fav's, more watchers :)))
Btw... regularly resetting / changing all users passwords is the only one way to remove the bot's and false accounts.

Feb 13, 2019*
tinternaut
tinternaut

I have the email from them but Iā€™m not entirely sure if it applies to me. I sign into 500px via Facebook.

Feb 13, 2019
falconeyes
falconeyes

It applies to you as obviously, the user database table was retrieved. It may not contain a hash of your password. But if the password is safe (i.e., no dictionary word etc.), a hash alone isn't sufficient to hack the password anyway.

Feb 13, 2019
ShaiKhulud
ShaiKhulud

502 when changing my password. Brilliant. Time to pull the plug from my 500px account D:

Feb 13, 2019
BlueBomberTurbo

When I tried to log in, I got passed off to the site's favicon.......

Feb 14, 2019
Crixus
Crixus

Some users can't change the password because 500PX doesn't send the e-mail with the link to change the password. This isn't fair, while we're being kept at the gates, the lucky ones are inside, feasting and getting all the likes that were supposed to be ours!

Feb 13, 2019
Carl bcn
Carl bcn

True. I've tried to reset my password two or three times since I got the warning, to no avail.

Feb 13, 2019
Woodyz
Woodyz

I got the security breach screen after login. Got the reset email immediately. That was all a few minutes ago.

Feb 13, 2019
RLG60

I got the message this morning and could reset the password, but it was slow. After that I completed a form to delete the account. It must have been somewhere in 2010 or later, I don't remember, I joined. Used it once and never again. Meanwhile forgot that I was registered.

Feb 13, 2019
Fly18
Fly18

Yeah, "breach"!

Feb 13, 2019
Carol T

"500px suffered a data breach in July 2018 that exposed info of all 15M users"

Well, of course they did. If you give any company or site any info at all, you have to expect that at some point it will be stolen or at least compromised. Eventually we may as well just post all our personal info straight to the internet and be done with it.

Feb 13, 2019
Holger Drallmeyer
Holger Drallmeyer

Exactly, who is dumb enough to leave personal data on a site that is Chinese owned. Some people need to be slapped.

Feb 13, 2019
otto k

@Carol - about that, Mark Zuckerberg has already created Facebook, you're late to the party...

Feb 13, 2019
Carol T

Otto: My point is that whether it is a breach (I have been through that with at least 6 huge companies, a couple TWICE) or just straight-out abuse like FB, we are all screwed these days if we want to do anything beyond living completely cut off from modern civilization. As someone said in another post, all these companies *force* you to give them all this info if you want to do any kind of business with them, financial or otherwise.

Feb 13, 2019
Gmon750

I couldn't care less if any Facebook breach exposes my penchant for cute puppy videos. People are blowing things way out of proportion for the sake of sticking it to the big guy. What private info is on 500px? If you're putting truly private info anywhere on some 3rd-party site, then you deserve all the bad things that come from it.

People put more time and energy criticizing firms like Facebook, 500px, yet barely a peep from the huge Equifax scandal which breached truly personal, financially-damaging information on just about every American taxpayer that I had no control over. Where's the outrage?

Feb 13, 2019
Holger Drallmeyer
Holger Drallmeyer

Good points Gmon750.

Feb 13, 2019
Carol T

Gmon: Equifax is one of the ones I was referring to. Target. Anthem. And a couple of other huge ones, where I had no choice, and had my data breached.

I think the reason people are complaining on DPR about 500px and not those big companies is because, well, this is a photo site, and 500px is related to photographers and the others not so much. But some of us (me) used that to speak to the broader, more dangerous situation.

Feb 13, 2019
MichelBB

@ Gmon750
" If you're putting truly private info anywhere on some 3rd-party site, then you deserve all the bad things that come from it."

What 1-st party site you recommend for my nudes ?

Feb 14, 2019*
vscd
vscd

@GMon750

Today it's 500px.com, tomorrow amazon and in the future your bank account. Why did you spend your privat data there? In fact the companies are not willing or able to be at least as secure as my password which has to consist of special chars, upper/lower case, numbers and at least 20 chars length before they accept it. RIDICULOUS! ;(

Feb 14, 2019*
Slapstick Noir
Slapstick Noir

It happened 7 months ago, too late for changing passwords, idiots!
Tip: never use your real name, birth date and/or a phone number, and always use a dummy email.

Feb 13, 2019
Carol T

Yes, we probably all just need to develop a couple dozen fake identities in life.

Feb 13, 2019
tkbslc

If you use fake names, dates and numbers, then you are screwed if you ever get locked out.

Feb 13, 2019
Fly18
Fly18

How would you pay for "Pro" membership?

Feb 13, 2019
Kris Hary
Kris Hary

it's a hash of the passwords so it might not be that bad if its done properly

Feb 13, 2019
Woodyz
Woodyz

Spotify already leaked my email and old password awhile back. I use Apple's password manager now.

Feb 13, 2019
lightandaprayer

I always have at least 2 email accounts. I use a "public address" for online registrations. Another option is to us an email alias for registrations and trash it if the spam becomes too onerous. Runbox does an admirable job of keeping 99% of spam from reaching my public address inbox. My personal address receives 0 spam.

Feb 13, 2019
deednets

@Carol T I work in IT and am gobsmacked as to how easy it is to get some people's passwords e.g. for emails: go to a chat-window for XTRA (the main ISP here in NZ) and tell them your full name birthdate and address - and bingo there is the pw change! The problem with all online IDs is that you shouldn't use your "real" data as anybody who has ever been to your birthday can demi guess your DOB.
So not a matter of "many fake IDs" but to protect the one you have!

Feb 13, 2019
cosinaphile
cosinaphile

if you use sites like 500 px, then you are already using a dummy email

Feb 15, 2019
lightandaprayer

@deednets Agreed. ISPs are their own worst enemies. . . I'm sorry to hear that things aren't different in New Zealand. At least you have the gorgeous landscape as some compensation for their lousy service.

Just a heads-up for anyone interested in a better alternative to email services provided by ISPs, and domain registrars such as GoDaddy and GMail: the email company Runbox.com is based in Norway and it is available everywhere (I live on the Left Coast of America.)

Norwegian privacy laws are particularly consumer-friendly. The Norwegian Data Protection Authority is responsible for managing the Personal Data Act of 2000, which governs privacy concerns. The NDPA is an independent administrative body of the Norwegian Ministry of Government Administration and Reform.

I've been using Runbox for over 6 years. Its service is second to none and the cost very reasonable. An added bonus: Runbox doesn't scan your email so it can bombard you with targeted ads. ;)

Feb 15, 2019*
F-ONE

Shocking! Unbelievable!

Feb 13, 2019
shinan
shinan

Not more shocking than seeing these much people still using their service.

Feb 13, 2019
J A C S
J A C S

Why would a site like this want to know your birthdate? If it does, why would you give it to it?

Feb 13, 2019
lightandaprayer

If your birthdate is required, you won't be able to register without providing the info. Age verification is usually used to limit the legal liability of the website owner.

Feb 13, 2019
J A C S
J A C S

You just provide a fake birthdate.

Feb 13, 2019
lightandaprayer

That's one way to get around it. . .

Feb 13, 2019
Mnemon

Yes, but than that's you violating the Terms of Service ... it's about the website pushing responsibility to the user and trying to limit legal liability at as low a cost and effort as possible. It's not about you as a user.

Feb 13, 2019
Carol T

Mnenon: It's basically about the companies being completely arrogant and self-aggrandizing, wanting complete control because it makes things at the least easier for them, and perhaps even directly makes them money by selling your info. A lot of benefits for them and lot of risk for us, and they seem to feel little-to-no responsibility for the risks they are making us take to interact with them.

Feb 13, 2019
BasilG

"A hash of their passwords"? Meaning number of # corresponding to the number of characters in the password? Or does that expression have another meaning? Sorry, non-native speaker here.

Feb 13, 2019
geekyrocketguy
geekyrocketguy

It means the encrypted form of the passwords. So the passwords weren't exposed directly, but if someone managed to crack the encryption/obtain the decryption method (unlikely), the passwords could be revealed.

Feb 13, 2019
lightandaprayer

Geeky beat me to it while I was composing my message! Too bad there isn't a delete option. . .

Feb 13, 2019*
Jon555

It's a cryptographic function which basically makes a digital fingerprint for the password. Surprisingly easy to crack if it's a straight hash, either by hashing the password lists that are around, with like 100M common, seen passwords and variants like zero for O, etc. or using rainbow tables, where you just set all the computers you've compromised hashing every possible password (A, B, ... AAAAAAAA, AAAAAAAB, etc.) and store the results on a NAS with a bunch of 14TB drives in it. In both cases you just look up the hashes in the list against the results.
A better approach (which they hopefully did) is to use a salted hash, where you combine a random long piece of data with the password and then hash that. The salt isn't a secret but stored in clear text besides the password. What it means is you then have to test each hashed password one at a time, usually just by trying the long lists of seen passwords.
Hope that made some sense.

Feb 13, 2019
Jon555

P.S. also used for file integrity tests, you can hash data that's as long as you like. If you download big files you may see stuff on the download page like MD5 and SHA1 followed by long numbers. These are the hashes of the file (there are a bunch of hash types) and when you've downloaded it you can check it's intact/correct by hashing it yourself (with a program like HashCalc) and comparing.

Feb 13, 2019*
BasilG

Thanks all. Dr. Jon, I assume the salting means that instead of running the computations once and then compare to all passwords you have, all the computations have to be re-run for every single password, increasing computational demands substantially (and making it less practicable)?

Feb 13, 2019
Jon555

Yes, exactly. Although you can run through them quite quickly (computers huh, especially lots of computers) so having a password not in a list of common ones is a big plus (they're not likely to try brute force if you aren't mega-famous or a squillionaire). Here's the top 100,000:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
Here's 551.5M:
https://haveibeenpwned.com/Passwords
This is an 11GB file and includes the SHA1 hash of all the passwords (but not the originals as they might be personal, although of course files with the originals are easily available if you're on the dark web).
Also note they provide a hash for the file, so you can check the file came down okay.
With an unsalted hash the only way out is to have more characters than they are likely to have rainbow tables for (so 16 would be good) and again not something on any of the common lists.

Feb 13, 2019*
lightandaprayer

I prefer to make my important passwords at least 20 characters. But even some financial websites limit the character count to around 8 characters. Very Frustrating!

Feb 13, 2019
lighthunter80
lighthunter80

With stolen hashed passwords the importance of a secure PW comes into play. There are tons of clear text PW libraries out in the net. If you grab one an hash all passwords in it you get a library that you can now match against the leaked hashes and any match would reveal the real password (as you have the original clear text library).

With a secure password that uses lots of special characters and is long enough (16 chars+) this is less likely to ever come up in a library as mentioned above.

Even more important is to use multi factor authentication if offered. Unfortunately DPR don't offer it yet...

Feb 13, 2019
stevo23

Bravo!

Feb 13, 2019
sense601

Yesterday it was Eyeem's turn. Of course everything was safe, because of their super secure systems, but just to be sure STOP WHATEVER UR DOING AND CHANGE YOUR PW IMMEDIATELY!!!

Feb 13, 2019
kociasek

ROFL! šŸ¤£

Feb 13, 2019
ManfredGrebler

Most important: In case you have used the same e-mail / password combination at any other site, you must change your password at any of these sites asap.

Feb 13, 2019
tkbslc

wish I could remember what I used on 500px. I swear I made an account 5 years ago and never used it.

Feb 13, 2019
lightandaprayer

If you aren't already using a password management app, you might want to start. Then you don't need to remember if you have an account and the password you used.

The password generator tool that 1Password and other apps have is something I use all the time. It makes it less likely that I will simply use the same password for multiple websites.

1Password also has a feature called "Watchtower" that provides alerts when a website for which you have an account has been hacked. That way you know you may have a problem if you missed hearing about it in the media and can change the compromised password.

Feb 13, 2019
tkbslc

I don't like those password generators as it's a PITA to type 20 random digits. I'd rather use a long sentence or string of words.

I did use the same password for everything 5 years ago, though, which is why I'm a little concerned. Hoping I've changed everything since then, but even with a password manager, I still find things I've missed.

Feb 13, 2019
RLG60

I'm using password generators, long sentence or a combination of both.

Feb 13, 2019
lightandaprayer

Many websites require using numbers and punctuation marks while also limiting the maximum number of characters. . . It's frustrating! Some of the requirements actually reduce the strength of the possible passwords.

Feb 13, 2019*
kociasek

"has found now signs"
This should read "has found no signs".

Feb 13, 2019*