MicrostockGroup
Agency Based Discussion => 123RF => Topic started by: Noedelhap on November 14, 2020, 16:16
-
Dear 123RF member,
I am writing to you that an alleged data breach involving some of our members’ account information may have recently occurred on 123RF.com.
We learned about the suspected data breach on November 10, 2020 and upon extensive internal inquiries we believe that your username, email, password (in encrypted form) and other account related details may have been compromised at this point of time.
Please be rest assured, we can confirm that the alleged data breach does not include any credit card, Paypal, Skrill, Ideal or any other bank details as we do not store such information.
However, in line with good security practices and to ensure the highest level of protection to your account, we advise you to change your password. You can set a new password by clicking here or when you next try to log into your account at 123RF an email will be sent to you to start the process.
Please be assured that 123RF is now secure as we have incorporated additional security measures such as stronger password requirements and last logged in location detection to secure your account better. We also undertake to work with the relevant authorities and organization and will fully cooperate with their investigations as we continue to safeguard your data.
We are deeply sorry for the inconvenience and concern this may have caused you. At 123RF, we are committed to build a creative platform that promotes creativity and entrepreneurship. Over the years, we have been making upgrades and improvements, including the recent added creative tools that allows users to have a seamless creative journey within the site. We will continue to champion this idea and thank you for your support all this time.
Stephanie Sitt
CEO
-
"Have I been pawned" website also sent a notification (I'm a subscriber) with clear information - the email from 123RF is rather wishy-washy.
According to Have I Been Pawned the breach happened in March 2020.
Email found: xxxxxxxxxxxxx
Breach: 123RF
Date of breach: 22 Mar 2020
Number of accounts: 8,661,578
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Description: In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com."
-
Maybe this explain the SPAM I receive since September on the email address I use for 123RF.
-
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!
There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.
To be honest, they have gone downhill so much in the last few years, its probably a lack of money. I should really just give up with them.
If this has happened once, then they probably wont be regularly 'on the ball' with system security.
-
I received the same eMail, but didn't use the link they sent to reset my password - I went directly to the 123 website and clicked reset password from there. It's all very suspicious and it is getting more difficult to just do a regular login.
-
Another incident highlighting why nobody should reuse passwords....
Why . none of these sites offer 2 factor authentication i'll never know...
There seems to be no penalty for these companies allowing hacks to happen,
Depends where they're located in the world. In the UK that would be an ICO breach and automatic fine relative to earnings.
-
I never received the email, so I appreciate seeing this posted here.
I had to reset my password on my last login and wondered what had caused it.
-
I got it and changed my password. Now I get an endless parade of recaptcha crap and can never get to the site. As far as I'm concerned recaptha is the worst thing that ever happened to the web. Other than animated gifs
-
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable (it's clickable at the beginning, but when I start typing new password it becomes unclickable), so I can't change password nor can I login because old password doesn't work. I wonder, if I'll get the payout which I should this month.Anyone else scheduled to receive payment this month and, did you received it yet?
-
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable
Make sure the new password you type meets all the requirements, then tab to the next field. It took me a couple of tries before the button activated.
-
I did, I put just random letters (upper case also), special characters and numbers still nothing. I tried iexplorer, same thing.
Ok, nevermind, I got it. I used "-" character and apparently that wasn't good enought, now I tried "@" and it works.
Logged in. No sales. Logged out.
-
I tried to login before I got the email, and received a security notice requesting me to change my email. I created a strong password and can login, but only to the customer site, when I try to login to the contributor site, the new password doesn't work. I can use the old password, which prompts me to change the password, and the whole process starts again.
I've been round and round in circles since yesterday, and now I'm waiting for support to get back to me.
-
Same here.
-
Now is OK.
-
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!
There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.
If it's online, it's prone to hacking. This sort of thing happens constantly - it would be difficult to prosecute and would discourage service providers from doing ANYTHING when a breach did happen for fear that they'd be prosecuted. They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.
I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.
-
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!
-
They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.
I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.
They say MD5 but no idea if salted or not which makes a difference. Ultimately if its not a password susceptible to dictionary attacks, IF the hashing is properly implemented its no problem. But in so many cases it turns out the implementation was useless.
ICO in the UK regularly prosecutes and fines private companies for failing to secure data (although seems the government is exempt...). Look at TalkTalk, British Airways etc.
-
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!
Yep, changed mine a couple days ago after first email. Got another email today. I only kept the account open because I was buying images for clients’ work. Don’t need it anymore, don’t contribute, will prolly just have them close it.
-
Interesting... when I went to their website they advised of a "Security Policy Change" and I had to update my password!
Damage limitation in action?!? Truth or... lying to their contributors to cover up their failing systems?!?
-
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?
-
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?
Yup. Me too.
-
Hi Everyone,
I can't login to my account for weeks now, due to a 'Security Upgrade'. I've been asked to renew my password following the instructions sent to my email account. But neither do I receive any message or link nor does the support team is responding to my mails asking to solve this problem.
Am I the only one?
Rob
-
I have left this site but just found out that I was affected. I never received a email. I assume because I was no longer with them. I missed this thread.
Just be aware even if you left before the hack you will be compromised.