88

500px suffered a data breach in July 2018 that exposed info of all 15M users

5oopx, the photo sharing service owned by Visual China Group (VCG), the world's third-largest visual content provider, has posted a security notice on its support site today, revealing that the platform suffered a security breach that exposed user data and profile information.

The breach was discovered by 500px engineers only a few days ago on February 8, but actually happened all the way back on July 5, 2018. The company says all users who signed up on or before that day are affected by the breach which exposed users' first and last names, usernames, email addresses, a hash of their passwords and dates of birth.

If at signing up users decided to provide gender and location information this data will be compromised as well. The good news is that 500px has found no signs of unauthorized entry into any of the affected user accounts. Payment information was not compromised either.

In its announcement 500px says it will upgrade its security measures and examine its source code in order to avoid similar issues in the future. The company is also asking all users to change passwords.

View Comments (88)

Comments

All (88)
Most popular (6)
Editors' picks (0)
DPR staff (0)
Oldest first
sirhawkeye64

Hmmm.. owned by a Chinese company, and then suffers a data breach. Not surprising. Guess I'm glad I never bought into 500px (only browsed, never signed up).

1 day ago*
Clint Dunn

Why would anyone ever pay to use 500PX?? I keep a few pics on the site but have never provided a Visa number. I actually think 500PX has some amazing quality of work, far superior to what you see in say Flickr 'Explore'.

2 days ago
NickyB66

What do you expect from a China owned company.

2 days ago
Copal Fit
Copal Fit

Another issue with 500px....glad I never signed up there after I heard about other issues regarding photo copying etc on this site a few years back.

2 days ago
jayfromeast

and?
people still use facebook and iphones..
identity theft became such a novial deal.
props to big companies that hasn't get breached yet

3 days ago
MichelBB

What us the problem? Most people say they have nothing to hide.

3 days ago
SilvanBromide

@MichelBB It has nothing to do with people having - or not having - anything to hide.

There is a risk that the data may be used for phishing attempts, identify theft and other scams. FYI.

3 days ago
McArchive

"There is a risk that the data may be used for phishing attempts, identify theft and other scams. FYI."

That's the basis of the internet and cell service these days, no? Now, off to the cookie store....

3 days ago
BlueBomberTurbo

Ha, looks like I haven't touched my 500px account since 2010. No important info or any pics in there. Basically signed up, said meh, and never looked back.

3 days ago
vscd
vscd

We didn't miss you either.

3 days ago
BlueBomberTurbo

So much so that you had to personally comment. I feel loved. :)

2 days ago
vscd
vscd

You're so eloquent my deer. Sorry... my dear.

2 days ago
falconeyes
falconeyes

BREAKING NEWS
============================
500px is only one out of 16 known breaches. The list is as follows:

8fit (20 million)
500px (15 million)
Animoto (25 million)
Armor Games (11 million)
Artsy (1 million)
BookMate (8 million)
CoffeeMeetsBagel (6 million)
DataCamp (700,000)
Dubsmash (162 million)
EyeEm (22 million)
Fotolog (16 million)
HauteLook (28 million)
MyFitnessPal (151 million)
MyHeritage (92 million)
ShareThis (41 million)
Whitepages (18 million)

All account data is for sale in the dark net. Via: heise.de Source: https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/

3 days ago*
falconeyes
falconeyes

It is untrue that 500px acted on survey of log files. They acted after their data showed up for sale Feb 12.

3 days ago*
falconeyes
falconeyes

Details for 500px:

500px: 14,870,304 accounts for 0.217 BTC ($780) total
1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country.

They started a system-wide password reset starting with MD5-hashed passwords (weakest).

3 days ago*
5r82

Can't reset the password there as I don't receive 6 digit token. Anyone else having the same issue?

3 days ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

Now if only someone would offer to buy this data, and send the sellers a nice virus as payment.

2 days ago
Wye Photography
Wye Photography

Way to go Chinese.

You can leak like the best of them.

3 days ago*
3 days ago
CallumG
CallumG

Well at least the passwords are hashed. That's the least I can ask for. Glad I left them, whoever "they" are. I left because I realised the big players probably used bots in the early days to mass like and comment to get their following.

With these companies, it's not if your data is leaked, it's when and who gets it.

3 days ago*
Razakel

According to the announcement they used the MD5 algorithm. This algorithm is flawed and hasn't been recommended for password hashing for more than 10 years now. If you use the same password somewhere else you should absolutely consider changing it.

1 day ago*
McArchive

The sharing economy keeps on growing!

3 days ago
Sirandar
Sirandar

I usually apply the one in 1000 rule to these happenings. For every incident anyone is aware about, there are 1000 that go undetected.

Only the mildly incompetent breach and the target becomes aware. Ones that make the news usually do so as part of wider considerations. Many remember Ashley Madison, a fake escort service that really just practiced extortion. How long that business stayed open is a testament to human nature.

Being an IT manager you are usually in a position of responsibility without any authority. Pretty much guaranteed mayhem. We implement tighter and tighter infrastructure based controls and compliance structures ..... until 90% of a job is compliance and the infrastructure itself replaces human involvement in it.

Maybe this is a good thing as Google's self driving vehicles are probably better at it than the average driver perhaps even now, and as they develop further human drivers will probably be the most risky on the road.

3 days ago*
aimatyna
aimatyna

I left 500px one year ago or so because some their partners used my photos and didn't pay me at all. They practice dirty business.

3 days ago
McArchive

but did your data leave with you?

3 days ago
aimatyna
aimatyna

I left 500px in October,2017. I asked manager to delete my account and all my data.
Useless request. My data are still there.
You can see my last photo there: simply to type "amatyna" on the site 500px.com
I am indignant but is not surprised...

3 days ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

One of the reasons I NEVER used my real birthdate when creating accounts on such services (Facebook, 500px, E-mail accounts, etc.). FWIW: I have dropped all such accounts except E-mails and Disqus.

3 days ago
MySimplePhotosToday
MySimplePhotosToday

I wonder if this could be the reason nobody sends me Happy Birthday messages.

2 days ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

Get/got them from some of those services, but always on the wrong date.

2 days ago
WebmasterNeal

My password reset email takes me to a page stating the following:
"Please enter the 6-digit verification code on your authenticator:"

And I don't have a 6 digit code to enter...

3 days ago
Kurt Helge Roesand

Yep, same here. So, I'm completely locked out of my account. When I finally get to log in I will delete my account for sure.

3 days ago*
David 247
David 247

I got that too, but I think there was a link below that (not obvious) to have the code sent to you if you didn't receive one. I did get a code and since I hadn't been using it, deleted the last of my photos and closed the account.

3 days ago
dpreviewblog

Strange... but when 500px go's to China's my gallery began more popular... more fav's, more watchers :)))
Btw... regularly resetting / changing all users passwords is the only one way to remove the bot's and false accounts.

3 days ago*
tinternaut

I have the email from them but I’m not entirely sure if it applies to me. I sign into 500px via Facebook.

3 days ago
falconeyes
falconeyes

It applies to you as obviously, the user database table was retrieved. It may not contain a hash of your password. But if the password is safe (i.e., no dictionary word etc.), a hash alone isn't sufficient to hack the password anyway.

3 days ago
ShaiKhulud
ShaiKhulud

502 when changing my password. Brilliant. Time to pull the plug from my 500px account D:

3 days ago
BlueBomberTurbo

When I tried to log in, I got passed off to the site's favicon.......

3 days ago
Crixus
Crixus

Some users can't change the password because 500PX doesn't send the e-mail with the link to change the password. This isn't fair, while we're being kept at the gates, the lucky ones are inside, feasting and getting all the likes that were supposed to be ours!

3 days ago
Carl bcn
Carl bcn

True. I've tried to reset my password two or three times since I got the warning, to no avail.

3 days ago
Woodyz
Woodyz

I got the security breach screen after login. Got the reset email immediately. That was all a few minutes ago.

3 days ago
RLG60

I got the message this morning and could reset the password, but it was slow. After that I completed a form to delete the account. It must have been somewhere in 2010 or later, I don't remember, I joined. Used it once and never again. Meanwhile forgot that I was registered.

3 days ago
Fly18
Fly18

Yeah, "breach"!

3 days ago
Carol T

"500px suffered a data breach in July 2018 that exposed info of all 15M users"

Well, of course they did. If you give any company or site any info at all, you have to expect that at some point it will be stolen or at least compromised. Eventually we may as well just post all our personal info straight to the internet and be done with it.

3 days ago
Holger Drallmeyer
Holger Drallmeyer

Exactly, who is dumb enough to leave personal data on a site that is Chinese owned. Some people need to be slapped.

3 days ago
otto k

@Carol - about that, Mark Zuckerberg has already created Facebook, you're late to the party...

3 days ago
Carol T

Otto: My point is that whether it is a breach (I have been through that with at least 6 huge companies, a couple TWICE) or just straight-out abuse like FB, we are all screwed these days if we want to do anything beyond living completely cut off from modern civilization. As someone said in another post, all these companies *force* you to give them all this info if you want to do any kind of business with them, financial or otherwise.

3 days ago
Gmon750

I couldn't care less if any Facebook breach exposes my penchant for cute puppy videos. People are blowing things way out of proportion for the sake of sticking it to the big guy. What private info is on 500px? If you're putting truly private info anywhere on some 3rd-party site, then you deserve all the bad things that come from it.

People put more time and energy criticizing firms like Facebook, 500px, yet barely a peep from the huge Equifax scandal which breached truly personal, financially-damaging information on just about every American taxpayer that I had no control over. Where's the outrage?

3 days ago
Holger Drallmeyer
Holger Drallmeyer

Good points Gmon750.

3 days ago
Carol T

Gmon: Equifax is one of the ones I was referring to. Target. Anthem. And a couple of other huge ones, where I had no choice, and had my data breached.

I think the reason people are complaining on DPR about 500px and not those big companies is because, well, this is a photo site, and 500px is related to photographers and the others not so much. But some of us (me) used that to speak to the broader, more dangerous situation.

3 days ago
MichelBB

@ Gmon750
" If you're putting truly private info anywhere on some 3rd-party site, then you deserve all the bad things that come from it."

What 1-st party site you recommend for my nudes ?

3 days ago*
vscd
vscd

@GMon750

Today it's 500px.com, tomorrow amazon and in the future your bank account. Why did you spend your privat data there? In fact the companies are not willing or able to be at least as secure as my password which has to consist of special chars, upper/lower case, numbers and at least 20 chars length before they accept it. RIDICULOUS! ;(

3 days ago*
Slapstick Noir
Slapstick Noir

It happened 7 months ago, too late for changing passwords, idiots!
Tip: never use your real name, birth date and/or a phone number, and always use a dummy email.

3 days ago
Carol T

Yes, we probably all just need to develop a couple dozen fake identities in life.

3 days ago
tkbslc

If you use fake names, dates and numbers, then you are screwed if you ever get locked out.

3 days ago
Fly18
Fly18

How would you pay for "Pro" membership?

3 days ago
Kris Charatonik
Kris Charatonik

it's a hash of the passwords so it might not be that bad if its done properly

3 days ago
Woodyz
Woodyz

Spotify already leaked my email and old password awhile back. I use Apple's password manager now.

3 days ago
lightandaprayer

I always have at least 2 email accounts. I use a "public address" for online registrations. Another option is to us an email alias for registrations and trash it if the spam becomes too onerous. Runbox does an admirable job of keeping 99% of spam from reaching my public address inbox. My personal address receives 0 spam.

3 days ago
deednets

@Carol T I work in IT and am gobsmacked as to how easy it is to get some people's passwords e.g. for emails: go to a chat-window for XTRA (the main ISP here in NZ) and tell them your full name birthdate and address - and bingo there is the pw change! The problem with all online IDs is that you shouldn't use your "real" data as anybody who has ever been to your birthday can demi guess your DOB.
So not a matter of "many fake IDs" but to protect the one you have!

3 days ago
cosinaphile

if you use sites like 500 px, then you are already using a dummy email

2 days ago
lightandaprayer

@deednets Agreed. ISPs are their own worst enemies. . . I'm sorry to hear that things aren't different in New Zealand. At least you have the gorgeous landscape as some compensation for their lousy service.

Just a heads-up for anyone interested in a better alternative to email services provided by ISPs, and domain registrars such as GoDaddy and GMail: the email company Runbox.com is based in Norway and it is available everywhere (I live on the Left Coast of America.)

Norwegian privacy laws are particularly consumer-friendly. The Norwegian Data Protection Authority is responsible for managing the Personal Data Act of 2000, which governs privacy concerns. The NDPA is an independent administrative body of the Norwegian Ministry of Government Administration and Reform.

I've been using Runbox for over 6 years. Its service is second to none and the cost very reasonable. An added bonus: Runbox doesn't scan your email so it can bombard you with targeted ads. ;)

1 day ago*
F-ONE

Shocking! Unbelievable!

3 days ago
shinan

Not more shocking than seeing these much people still using their service.

3 days ago
J A C S
J A C S

Why would a site like this want to know your birthdate? If it does, why would you give it to it?

3 days ago
lightandaprayer

If your birthdate is required, you won't be able to register without providing the info. Age verification is usually used to limit the legal liability of the website owner.

3 days ago
J A C S
J A C S

You just provide a fake birthdate.

3 days ago
lightandaprayer

That's one way to get around it. . .

3 days ago
Mnemon

Yes, but than that's you violating the Terms of Service ... it's about the website pushing responsibility to the user and trying to limit legal liability at as low a cost and effort as possible. It's not about you as a user.

3 days ago
Carol T

Mnenon: It's basically about the companies being completely arrogant and self-aggrandizing, wanting complete control because it makes things at the least easier for them, and perhaps even directly makes them money by selling your info. A lot of benefits for them and lot of risk for us, and they seem to feel little-to-no responsibility for the risks they are making us take to interact with them.

3 days ago
BasilG

"A hash of their passwords"? Meaning number of # corresponding to the number of characters in the password? Or does that expression have another meaning? Sorry, non-native speaker here.

3 days ago
geekyrocketguy
geekyrocketguy

It means the encrypted form of the passwords. So the passwords weren't exposed directly, but if someone managed to crack the encryption/obtain the decryption method (unlikely), the passwords could be revealed.

3 days ago
lightandaprayer

Geeky beat me to it while I was composing my message! Too bad there isn't a delete option. . .

3 days ago*
Dr_Jon

It's a cryptographic function which basically makes a digital fingerprint for the password. Surprisingly easy to crack if it's a straight hash, either by hashing the password lists that are around, with like 100M common, seen passwords and variants like zero for O, etc. or using rainbow tables, where you just set all the computers you've compromised hashing every possible password (A, B, ... AAAAAAAA, AAAAAAAB, etc.) and store the results on a NAS with a bunch of 14TB drives in it. In both cases you just look up the hashes in the list against the results.
A better approach (which they hopefully did) is to use a salted hash, where you combine a random long piece of data with the password and then hash that. The salt isn't a secret but stored in clear text besides the password. What it means is you then have to test each hashed password one at a time, usually just by trying the long lists of seen passwords.
Hope that made some sense.

3 days ago
Dr_Jon

P.S. also used for file integrity tests, you can hash data that's as long as you like. If you download big files you may see stuff on the download page like MD5 and SHA1 followed by long numbers. These are the hashes of the file (there are a bunch of hash types) and when you've downloaded it you can check it's intact/correct by hashing it yourself (with a program like HashCalc) and comparing.

3 days ago*
BasilG

Thanks all. Dr. Jon, I assume the salting means that instead of running the computations once and then compare to all passwords you have, all the computations have to be re-run for every single password, increasing computational demands substantially (and making it less practicable)?

3 days ago
Dr_Jon

Yes, exactly. Although you can run through them quite quickly (computers huh, especially lots of computers) so having a password not in a list of common ones is a big plus (they're not likely to try brute force if you aren't mega-famous or a squillionaire). Here's the top 100,000:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
Here's 551.5M:
https://haveibeenpwned.com/Passwords
This is an 11GB file and includes the SHA1 hash of all the passwords (but not the originals as they might be personal, although of course files with the originals are easily available if you're on the dark web).
Also note they provide a hash for the file, so you can check the file came down okay.
With an unsalted hash the only way out is to have more characters than they are likely to have rainbow tables for (so 16 would be good) and again not something on any of the common lists.

3 days ago*
lightandaprayer

I prefer to make my important passwords at least 20 characters. But even some financial websites limit the character count to around 8 characters. Very Frustrating!

3 days ago
lighthunter80
lighthunter80

With stolen hashed passwords the importance of a secure PW comes into play. There are tons of clear text PW libraries out in the net. If you grab one an hash all passwords in it you get a library that you can now match against the leaked hashes and any match would reveal the real password (as you have the original clear text library).

With a secure password that uses lots of special characters and is long enough (16 chars+) this is less likely to ever come up in a library as mentioned above.

Even more important is to use multi factor authentication if offered. Unfortunately DPR don't offer it yet...

3 days ago
stevo23

Bravo!

3 days ago
sense601

Yesterday it was Eyeem's turn. Of course everything was safe, because of their super secure systems, but just to be sure STOP WHATEVER UR DOING AND CHANGE YOUR PW IMMEDIATELY!!!

3 days ago
kociasek

ROFL! 🤣

3 days ago
ManfredGrebler

Most important: In case you have used the same e-mail / password combination at any other site, you must change your password at any of these sites asap.

3 days ago
tkbslc

wish I could remember what I used on 500px. I swear I made an account 5 years ago and never used it.

3 days ago
lightandaprayer

If you aren't already using a password management app, you might want to start. Then you don't need to remember if you have an account and the password you used.

The password generator tool that 1Password and other apps have is something I use all the time. It makes it less likely that I will simply use the same password for multiple websites.

1Password also has a feature called "Watchtower" that provides alerts when a website for which you have an account has been hacked. That way you know you may have a problem if you missed hearing about it in the media and can change the compromised password.

3 days ago
tkbslc

I don't like those password generators as it's a PITA to type 20 random digits. I'd rather use a long sentence or string of words.

I did use the same password for everything 5 years ago, though, which is why I'm a little concerned. Hoping I've changed everything since then, but even with a password manager, I still find things I've missed.

3 days ago
RLG60

I'm using password generators, long sentence or a combination of both.

3 days ago
lightandaprayer

Many websites require using numbers and punctuation marks while also limiting the maximum number of characters. . . It's frustrating! Some of the requirements actually reduce the strength of the possible passwords.

3 days ago*
kociasek

"has found now signs"
This should read "has found no signs".

3 days ago*