This morning, I received an email from 500px requiring that I change my password after they became aware of a “security issue” on the site on Friday 8th February. This might sound like 500px is jumping on the issue quickly, however, the breach actually happened way back on July 5th, 2018.
After detecting the breach, 500px says that they “immediately launched a comprehensive review of our systems” to figure out exactly what happened and what the impact was. They say that have been working with third-party security experts and are coordinating with law enforcement authorities.
The email explains what happened…
On February 8, 2019, our engineering team became aware of a potential security issue affecting certain user profile data. We immediately launched a comprehensive review of our systems to understand the nature and scope of the issue. We engaged a third-party expert to assist us in our investigation and are coordinating with law enforcement authorities on this matter.
Based on our investigation to date, we believe that an unauthorized party gained access to our systems and acquired partial user data on approximately July 5, 2018. We’ve concluded this issue affected certain information that users provided when filling out their user profiles, as listed below. Our engineers are closely monitoring our platform and we’ve found no evidence to date of any recurrence of this issue.
What personal data may have been affected?
- Your first and last name as entered on 500px
- Your 500px username
- The email address associated with your 500px login
- A hash of your password, which is hashed using a one-way cryptographic algorithm
- Your city, state/province, country, if provided
- Your birth date, if provided
- Your gender, if provided
At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.
While the email said that there is no indication that there was unauthorised access to my account, it does say that users with passwords that haven’t been changed since October 2012 may be “reverse-engineered”, giving somebody access to your account, hence the forced password change. Presumably by “reverse-engineered” it’s some form of basic one-way encryption like MD5 hashing, and they’re talking about a brute force attack to figure out what those older passwords are.
Given the nature of the personal data involved, we are alerting you to this matter so you can take steps to help protect yourself against the risk of phishing, spam, and other misuse of your information as a result of this issue.
In addition, if you have not changed your password on 500px since October 2012, there is a risk that your hashed password could be reverse-engineered to allow an unauthorized party to compromise your 500px account. The sections below provide information on the steps taken to protect your account, as well as further instructions for you.
500px says that in response, they have already reset passwords, requiring users to create another to gain access to their accounts. They say that they have also “vetted access” to their servers, databases and sensitive data-storage services, and that they are monitoring both the public and internal source code to keep an eye out for further exploits with the assistance of cybersecurity experts to beef up the security of their website, mobile apps, and internal systems. They don’t say whether this was a public attack against 500px from across the web or an attack from within, through associations with other services.
As usual, the recommendation is to change your password on any other website where you might have used the same password as that used on 500px. There is a FAQ, where you can find out more on the 500px website. 500px is based in Canada and owned by Visual China Group.