500px and EyeEm Among Websites With Stolen Account Details

Now would be a great time to change all your passwords if you’re on 500px, EyeEm, and other websites reported to have been hacked.

We’re still pretty much fresh into 2019 but there’s already a major reason to stay vigilant over your online accounts. Some 620 million accounts from 16 websites have been compromised in a recent data breach, according to a report by The Register. These include photography websites 500px and EyeEm. If you’re on any of these platforms, we strongly suggest you change your passwords now, if you haven’t yet.

Done? Great. Now, for the details.

According to the report, the accounts with stolen details recently went up for sale on the dark web, in the Tor network of the Dream Market cyber-souk, for less than $20,000 in Bitcoin:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

The Register was able to confirm this through some sample account records, and found that the databases consist primarily of account holder names, email addresses, and passwords. Other information include personal and location details, but bank information doesn’t seem to be included on the list. The passwords, however, are hashed or one-way encrypted, so they still need to be cracked before they can be used.

Still, 9to5Mac has also reported that some of the passwords are hashed only with the quick to crack MD5 algorithm. An e-mail tip we received from an IT specialist said that 500px is using the MD5 to encrypt and protect sensitive data. 500px has since sent an email notifying its users of the data breach, and while it has some reassuring bits, changing passwords now would be imperative.

“Anyone on 500px should immediately change their password, and assume if they had a paid account that their payment information has been compromised…” said our IT specialist in his email.

EyeEm has also already informed affected users about the hacking and disabled old passwords, urging them to reset their passwords immediately.

The point of this data breach goes further than the hacked websites. The reports also mentioned that buyers of stolen account details typically use these to break into other accounts — a practice called “credential stuffing” wherein they use the same e-mail addresses and passwords to log on popular websites and services.