Slashdot Mirror

← Back to Stories (view on slashdot.org)

Personal Information of 14.8 Million 500px Users Exposed In Security Breach (theverge.com)

Posted by BeauHD on from the another-day-another-leak dept.

Photo-sharing service 500px has announced that it was the victim of a hack back in July 2018 and that personal data was exposed for all the roughly 14.8 million accounts that existed at the time. PetaPixel reports: In an email sent out to users and an announcement posted to its website, 500px states that it was only on February 8th, 2019, that its team learned of an unauthorized intrusion to its system that occurred on or around July 5th, 2018. The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender. The company has reset all 500px account passwords, so to get back into your account you'll need to pick a new one using the recovery email system. "At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information," 500px says. "We recommend you change your password on any other website or app on which you use a password that is the same as or similar to your password for your 500px account," 500px says.

4 of 27 comments (clear)

  1. No cost for companies by houghi · · Score: 3, Interesting

    As long as there is no cost for the companies when this happens, we will keep seeing this.

    I would propose a 1USD for each account that has been breached. That way small companies pay small amounts and large companies pay large amounts.

    The best to give this money to is the NSA. Hear me out. They will have an incentive to breach companies and the companies will have an incentive to make their data secure against attacks of governements world-wide.

    That is a win-win situation. The NSA is occumpied with (inderectly) security instead of surveilance. We all get better privacy, because of this.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:No cost for companies by kaur · · Score: 2

      The best to give this money to is the NSA.

      500px is a Canadian company.
      Why should they pay an intelligence service of a foreign power?
      Maybe give the cash to Chinese or Russians instead of USA?

  2. Can't lose what they don't have. by fox171171 · · Score: 2

    The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender.

    Of those, username, email address, password hash are the only information that they should have had.

  3. Re:Why was it all in one database? by ctilsie242 · · Score: 2

    That is a microcosm of the industry in general. Take a typical company. They are pivoting to DevOps, and have implemented Scrum. A manager takes the role of the SCRUM master and turns daily stand-up meetings into kangaroo court sessions with developers wringing their hands, pointing to someone, and saying, "wah! He's blocking me!" Because marketing already sold the feature to customers, development is always in a permanent sprint to throw -anything- together so the sales people are not considered total liars.

    Now, comes the conundrum. A dev, if they don't make those deliverables, will get fired or offshored. So, anything that gets in the way, be is security, using fewer resources, or code robustness gets set aside. The tech debt is increased. Yes, the code has to run as an unconstrained root user, with full access to the DB, but the deliverable was made, and the coder can go onto the next thing marketing sold to the client as a feature already there. The developer has a choice between working in security, but then the developer fails to make the deliverable on time, will be threatened daily at the standup meeting, and ultimately booted. On the other hand, if the lack of security causes a breach and lawsuits, the developer is quite insulated from the consequences, as there are layers upon layers of company stuff.

    So, for a developer, there is zero incentive to build any security in the product.

    Now for management. To them, security has no ROI, and any consequences of an insecure product don't affect them. At worst, stock values tumble for a week or so, then go back up.

    As it stands now, with the feeling that "the only profit a lock makes is for the lock maker", it is no wonder why security breaches are so common.