Slashdot Mirror

← Back to Stories (view on slashdot.org)

Personal Information of 14.8 Million 500px Users Exposed In Security Breach (theverge.com)

Posted by BeauHD on from the another-day-another-leak dept.

Photo-sharing service 500px has announced that it was the victim of a hack back in July 2018 and that personal data was exposed for all the roughly 14.8 million accounts that existed at the time. PetaPixel reports: In an email sent out to users and an announcement posted to its website, 500px states that it was only on February 8th, 2019, that its team learned of an unauthorized intrusion to its system that occurred on or around July 5th, 2018. The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender. The company has reset all 500px account passwords, so to get back into your account you'll need to pick a new one using the recovery email system. "At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information," 500px says. "We recommend you change your password on any other website or app on which you use a password that is the same as or similar to your password for your 500px account," 500px says.

27 comments

  1. No cost for companies by houghi · · Score: 3, Interesting

    As long as there is no cost for the companies when this happens, we will keep seeing this.

    I would propose a 1USD for each account that has been breached. That way small companies pay small amounts and large companies pay large amounts.

    The best to give this money to is the NSA. Hear me out. They will have an incentive to breach companies and the companies will have an incentive to make their data secure against attacks of governements world-wide.

    That is a win-win situation. The NSA is occumpied with (inderectly) security instead of surveilance. We all get better privacy, because of this.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:No cost for companies by ReneR · · Score: 1

      Don't think costs will help much. There are already lawsuit costs and loss of customers due trust today. For the most part many companies, management, but also developer (who sometimes are not even that skilled and can barely click stuff together) plus many systems and languages (hint: PHP) are also inherently insecure. We need a whole new security first thinking. Also if that would be your company, and you architectured a really nice and secure system, and then there is one stupid small little typo bug and stuff leaks, do you really wanna pay millions of fines for that? While speaking about security – last night I live stream talked about microkernels, because security first, right? https://www.youtube.com/watch?...

    2. Re:No cost for companies by AmiMoJo · · Score: 1

      GDPR makes the fine up to 4% of global turnover, which seems like a good way of scaling it to the size of the company. The money should go to the victims, although due to it being difficult to identify them that probably means it would be spent on providing everyone with stuff like identity fraud protection.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re: No cost for companies by Anonymous Coward · · Score: 0

      LOL I needed that

    4. Re:No cost for companies by kaur · · Score: 2

      The best to give this money to is the NSA.

      500px is a Canadian company.
      Why should they pay an intelligence service of a foreign power?
      Maybe give the cash to Chinese or Russians instead of USA?

    5. Re:No cost for companies by ctilsie242 · · Score: 1

      Nothing is going to get done until a company's articles of incorporation papers are dissolved, and the corporate veil pierced if there are enough egregious violations of security.

      With the fact that anyone in the top brass can short their stock or buy put options when they find out about the breach, then finish the transaction after the public announcement, after things tumble, make a mint from it. Not like this is insider trading or anything.

    6. Re:No cost for companies by dgatwood · · Score: 1

      I would propose a 1USD for each account that has been breached. That way small companies pay small amounts and large companies pay large amounts.

      The risk is that some companies will treat this not as a fine, but rather as a fee, with small companies saying, "Yeah, but we can just pay a buck per account, and we're good," and large companies being the only ones to take security seriously.

      I think it would be better for the fine to be proportional to how much effort the company spent on ensuring that your information is secure.

      • If the company didn't encrypt passwords when stored on disk, it should be a million dollars per account. End the company once and for all, even if they only have ten customers.
      • If the company had an amazing security infrastructure with multiple layers of well-thought-out crypto and somebody managed to inject JavaScript code into the client using some clever user-provided CSS that didn't quite get sanitized completely, the fine should be fractions of a cent per customer.

      That way, the penalty matches the crime.

      Of course, if prosecutors aren't willing to press charges, having the law won't do any good. They almost certainly could go after many of these companies under existing law, but rarely do, so it's not clear whether additional laws would make any difference.

      The best to give this money to is the NSA. Hear me out. They will have an incentive to breach companies and the companies will have an incentive to make their data secure against attacks of governements world-wide.

      No. Just no. I mean, I get what you're saying, but we really don't need the NSA to increase their focus on internal stuff like this, because that will necessarily draw their focus away from other, more important intelligence gathering, like routing out terrorist cells. Instead, the money should go to fund a nonprofit organization whose goal is to provide support for small companies who want to improve their security, kind of like tobacco taxes fund tobacco education campaigns.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Pixel Math by mentil · · Score: 1

    500px has announced that it was the victim of a hack back in July 2018 and that personal data was exposed for all the roughly 14.8 million accounts that existed at the time. PetaPixel reports:

    500px * 14.8 million users < 1 PetaPixel
    Sorry, that's where my mind went.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re: Pixel Math by Anonymous Coward · · Score: 0

      WRONG. A petapixel would be in units of px^2 by implications of what it is. No regular consumer is going to have a 500px x 1px picture. Now you could try for something like 500^0.5 for the average dimensions of a square picture (like 23x23), and that shows that we're going nowhere with this thought.

  3. all volunteers by Anonymous Coward · · Score: 0

    no one forced to click mindlessly.. cease fire stand down.. there are mothers & children in every town..

  4. Why was it all in one database? by cjonslashdot · · Score: 1

    Guess the programmers don't know about compartmentalization, and the ops people don't know about intrusion detection. http://www.transition2agile.co...

    1. Re:Why was it all in one database? by mentil · · Score: 1

      They took the 'move fast and break things' credo literally. If they went Waterfall the database would've been lost in a flood. They wanted to try pair coding but couldn't find enough married programmers. Then they attempted to pivot to cowboy coding, with plenty of spaghetti code, but Sergio Leone wasn't available for that.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    2. Re:Why was it all in one database? by ctilsie242 · · Score: 2

      That is a microcosm of the industry in general. Take a typical company. They are pivoting to DevOps, and have implemented Scrum. A manager takes the role of the SCRUM master and turns daily stand-up meetings into kangaroo court sessions with developers wringing their hands, pointing to someone, and saying, "wah! He's blocking me!" Because marketing already sold the feature to customers, development is always in a permanent sprint to throw -anything- together so the sales people are not considered total liars.

      Now, comes the conundrum. A dev, if they don't make those deliverables, will get fired or offshored. So, anything that gets in the way, be is security, using fewer resources, or code robustness gets set aside. The tech debt is increased. Yes, the code has to run as an unconstrained root user, with full access to the DB, but the deliverable was made, and the coder can go onto the next thing marketing sold to the client as a feature already there. The developer has a choice between working in security, but then the developer fails to make the deliverable on time, will be threatened daily at the standup meeting, and ultimately booted. On the other hand, if the lack of security causes a breach and lawsuits, the developer is quite insulated from the consequences, as there are layers upon layers of company stuff.

      So, for a developer, there is zero incentive to build any security in the product.

      Now for management. To them, security has no ROI, and any consequences of an insecure product don't affect them. At worst, stock values tumble for a week or so, then go back up.

      As it stands now, with the feeling that "the only profit a lock makes is for the lock maker", it is no wonder why security breaches are so common.

    3. Re:Why was it all in one database? by bodog · · Score: 1

      simply mod++ , too many things to quote and agree with after seeing this up close and personal :)

    4. Re:Why was it all in one database? by cjonslashdot · · Score: 1

      Yeah, they needed Clint Eastwood to shoot the bad and the ugly!

  5. Can't lose what they don't have. by fox171171 · · Score: 2

    The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender.

    Of those, username, email address, password hash are the only information that they should have had.

    1. Re:Can't lose what they don't have. by MichaelJ · · Score: 1

      Agreed - who the hell provides their birthday to a photo sharing service? If it's required because of the possibility of adult content, who the hell provides their *real* birthday?

      --

      Michael J.
      Root, God, what is difference?
    2. Re:Can't lose what they don't have. by Anonymous Coward · · Score: 0

      This is why I provide phony information to every web site that makes me create an account to use their free stuff. My age, address, city, income, etc. are just made-up values. An identity thief would have trouble using that information to get anything when the inevitable hack like this occurs.

  6. Unconstitutional use of federal resources by Anonymous Coward · · Score: 0

    Can you show me in the constitution where the Federal Government has the authority to act as a penetration testing agency for the private sector?

    Claiming that this is a "national defense" need is a real stretch.

    1. Re: Unconstitutional use of federal resources by Anonymous Coward · · Score: 0

      Can you blame them? When their president says that building the wall will help fix our "national emergency".

      They are all idiots.

  7. Photo-sharing? by Anonymous Coward · · Score: 0

    What is a "Photo Sharing Service" and why would I want one?

  8. birthdays? by Anonymous Coward · · Score: 0

    Why would you give your real birthday to a photo site?
    There was no reason for them to have this in the first place.

    I think we all agree people freely share data too easily and with whom ever asks.

  9. It's all gone already by Shotgun · · Score: 1

    We have a "One BILLION Users" lose their personal data story on /. about once every two days. At this point, is there anyone that doesn't have all their data in the wild? How is that mathematically possible?

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  10. I propose by Anonymous Coward · · Score: 0

    I propose you suck the shit out of my elongated asshole

  11. Very little information is *required* by Fencepost · · Score: 1

    It notes first/last, birthdate, location (as provided by the user for their profile), gender along with username, email and password hashes.

    After changing my password and signing in, checking my profile shows that none of those are filled except username, email and (presumably) password hash, and I'm 99% sure (it was based on a pattern since I was going to be entering it on multiple devices and since I frankly don't *care* about the security of my 500px account) I've not used that specific password anywhere else.

    For just about any website or company out there, you need to operate as if this *will* happen. Even Google and Facebook could have breaches expose some data - they put a lot of effort and expense into security, but they're also big targets including for state actors (e.g. the NSA monitoring back in 2013ish that resulted in Google putting a lot more internal security in place). Use a password manager and unique passwords, don't provide more information than the minimum required to use the service, etc.

    --
    fencepost
    just a little off