[BreachExchange] Hacker posts 1.9 million Pixlr user records for free on forum

Fri Jan 22 11:05:58 EST 2021

https://www.bleepingcomputer.com/news/security/hacker-posts-19-million-pixlr-user-records-for-free-on-forum/

A hacker has leaked 1.9 million Pixlr user records containing
information that could be used to perform targeted phishing and
credential stuffing attacks.

Pixlr is a very popular and free online photo editing application with
many of the same features found in a professional desktop photo editor
like Photoshop. While Pixlr offers basic editing tools for free, the
site also provides premium memberships that include more advanced
tools, stock photos, and other features.

Over the weekend, a threat actor known as ShinyHunters shared a
database for free on a hacker forum that he claims was stolen from
Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf
are both owned by the same company, Inmagine.

Pixlr database leaked for free

ShinyHunters is a threat actor well-known for hacking into websites
and selling stolen user databases in private sales or via data breach
brokers. In the past, ShinyHunters has been responsible for data
breaches at Tokopedia, Homechef, Minted, Chatbooks, Dave, Promo,
Mathway, Wattpad, and many more.

The alleged Pixlr database posted by ShinyHunters contains 1,921,141
user records consisting of email addresses, login names, SHA-512
hashed passwords, a user's country, whether they signed up for the
newsletter, and other internal information.

Sample of records in the database

ShinyHunters stated he downloaded the database from the company's AWS
bucket at the end of 2020.

After sharing the database, many other threat actors who frequent the
hacker forum shared their appreciation as attackers could use the data
for their malicious activities.

While Pixlr has not responded to our email about the leaked database,
BleepingComputer has confirmed that many of the email addresses in the
database are registered Pixlr members.

What should Pixlr users do now?

As some of the exposed data is confirmed as accurate, it does appear
to be a legitimate breach.

It is strongly suggested that all Pixlr users immediately change their
passwords on the site out of an abundance of caution. Users should use
a unique and strong password that is not used at any other site.

If the same password at Pixlr is used at other sites, you should
change your password at these sites and one unique for the site.

A password manager is recommended to help you manage the unique
passwords you use at different sites.

Update 1/20/2021: Article was updated to include the correct number of
user records. Originally, we stated 1.4 million user records, but the
actual number is 1.9 million.