37 Million Photographers Might Want to Make New Passwords

37 Million Photographers Might Want to Make New Passwords

As user privacy abuse and data breaches become more and more commonplace we are being conditioned to be less and less surprised. If you had an account at popular photography sites 500px or EyeEm, you might want to read this.

We were informed directly and proactively by some of our 500px contacts about a recent article that was published on The Register highlighting the actions and exposure of a hacker selling a historically large database of usernames and passwords. The hacker, claiming to need the money, was able to exfiltrate over 620 million user account details from 16 sites, and currently has them all for sale on the dark web.

500px and EyeEm were the only photography sites on the breach list. I personally have accounts on both networks although I'm no longer actively posting. I was not alone as EyeEm saw 22 million accounts exposed, and 500px had 15 million. Both 500px and EyeEm have responded with a mandatory password change. This is a great idea considering many users may never hear about the breach in the nature of today's infinite news cycle.

I visited EyeEm and noticed I had used Facebook to login so there would be no password included in the stolen database. This is a good reason to consider using that same option in the future. After all, we can always trust Facebook. Right?

As you're making new accounts online for posting your photos or whatever, make sure you are using unique site-specific passwords. If your current accounts need a 2019 reality check, do it now while you are thinking about it.

Log in or register to post comments


Rob Davis's picture

This is a weekly thing now.

Robert Nurse's picture

Because there are no real sanctions for lax security and a lack of transparency on the part of data stewards. Did anything really happen to Equifax, FB and the like? No. They got yelled at. But, that's about it. When they lose profits because of it and/or corporate officers go to jail, THEN you'll see change.

Daris Fox's picture

Maybe not in the US, but they could be looking at a massive fine in the EU due to GDPR.

michaeljin's picture


Rob Mitchell's picture

Then you get one of those emails that says.
Dear Rob, you might be surprised to get an email from yourself, I need bitcoin from you to show not your dirty sekrits to peeepols. etc etc etc. ?

Vitya Unyaya's picture

Awful if this happens. I even read an article about bitcoin here https://bitcoinbestbuy.com/what-is-bitcoin/ but I don’t understand why it is bitcoin that is used in this way?

The important part reads:"These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used."

Which basically means if your password was long enough, your account is still safe. Long = Strong. Far more important than the mandatory use of funky characters.

Ariel Martini's picture

If you have your own domain, for instance peterthephotographer.com you can set an universal forwarder to you personal account. so anything@peterthephotographer.com will get forwarded. When you sign up for a site/service, use an exclusive email, for instance 500px@peterthephotographer.com - That way if the account leaks, it's useless to the attacker. Also, if you start receiving spam on that email, you already know what happened (and can easily block)

Jeff McCollough's picture

They didn't tell us to change out passwords.

500px told me to change it when I tried to log in.

Daris Fox's picture

I use enpass (enpass.io) to create a password vault, it's free for desktop (and a one off fee for the mobile app). I use unique passwords for all the sites I have accounts for.

Michael B. Stuart's picture

That looks similar to what I use, 1Password. Something like this is a must in my opinion.