MicrostockGroup

Agency Based Discussion => 123RF => Topic started by: Noedelhap on November 14, 2020, 16:16

Title: Security breach - change your password
Post by: Noedelhap on November 14, 2020, 16:16
Quote
Dear 123RF member,

I am writing to you that an alleged data breach involving some of our members’ account information may have recently occurred on 123RF.com.

We learned about the suspected data breach on November 10, 2020 and upon extensive internal inquiries we believe that your username, email, password (in encrypted form) and other account related details may have been compromised at this point of time.

Please be rest assured, we can confirm that the alleged data breach does not include any credit card, Paypal, Skrill, Ideal or any other bank details as we do not store such information.

However, in line with good security practices and to ensure the highest level of protection to your account, we advise you to change your password. You can set a new password by clicking here or when you next try to log into your account at 123RF an email will be sent to you to start the process.

Please be assured that 123RF is now secure as we have incorporated additional security measures such as stronger password requirements and last logged in location detection to secure your account better. We also undertake to work with the relevant authorities and organization and will fully cooperate with their investigations as we continue to safeguard your data.

We are deeply sorry for the inconvenience and concern this may have caused you. At 123RF, we are committed to build a creative platform that promotes creativity and entrepreneurship. Over the years, we have been making upgrades and improvements, including the recent added creative tools that allows users to have a seamless creative journey within the site. We will continue to champion this idea and thank you for your support all this time.


Stephanie Sitt
CEO
Title: Re: Security breach - change your password
Post by: ravens on November 15, 2020, 00:19
"Have I been pawned" website  also sent a notification (I'm a subscriber) with clear information - the email from 123RF is rather wishy-washy.

According to Have I Been Pawned the breach happened in March 2020.



Email found:   xxxxxxxxxxxxx
Breach:   123RF
Date of breach:   22 Mar 2020
Number of accounts:   8,661,578
Compromised data:   Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Description:   In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com."
Title: Re: Security breach - change your password
Post by: Groucho on November 15, 2020, 02:02
Maybe this explain the SPAM I receive since September on the email address I use for 123RF.
Title: Re: Security breach - change your password
Post by: BigLeague on November 15, 2020, 04:22
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!

There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.
To be honest, they have gone downhill so much in the last few years, its probably a lack of money. I should really just give up with them.
If this has happened once, then they probably wont be regularly 'on the ball' with system security.

Title: Re: Security breach - change your password
Post by: JetCityImage on November 15, 2020, 06:57
I received the same eMail, but didn't use the link they sent to reset my password - I went directly to the 123 website and clicked reset password from there. It's all very suspicious and it is getting more difficult to just do a regular login.
Title: Re: Security breach - change your password
Post by: gnirtS on November 15, 2020, 07:31
Another incident highlighting why nobody should reuse passwords....

Why . none of these sites offer 2 factor authentication i'll never know...

Quote
There seems to be no penalty for these companies allowing hacks to happen,

Depends where they're located in the world.  In the UK that would be an ICO breach and automatic fine relative to earnings.
Title: Re: Security breach - change your password
Post by: THP Creative on November 15, 2020, 09:40
I never received the email, so I appreciate seeing this posted here.

I had to reset my password on my last login and wondered what had caused it.
Title: Re: Security breach - change your password
Post by: dbvirago on November 15, 2020, 10:44
I got it and changed my password. Now I get an endless parade of recaptcha crap and can never get to the site. As far as I'm concerned recaptha is the worst thing that ever happened to the web. Other than animated gifs
Title: Re: Security breach - change your password
Post by: Dumc on November 15, 2020, 10:59
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable (it's clickable at the beginning, but when I start typing new password it becomes unclickable), so I can't change password nor can I login because old password doesn't work. I wonder, if I'll get the payout which I should this month.Anyone else scheduled to receive payment this month and, did you received it yet?
Title: Re: Security breach - change your password
Post by: disorderly on November 15, 2020, 11:16
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable

Make sure the new password you type meets all the requirements, then tab to the next field.  It took me a couple of tries before the button activated.
Title: Re: Security breach - change your password
Post by: Dumc on November 15, 2020, 11:39
I did, I put just random letters (upper case also), special characters and numbers still nothing. I tried iexplorer, same thing.

Ok, nevermind, I got it. I used "-" character and apparently that wasn't good enought, now I tried "@" and it works.

Logged in. No sales. Logged out.
Title: Re: Security breach - change your password
Post by: KuriousKat on November 15, 2020, 14:44
I tried to login before I got the email, and received a security notice requesting me to change my email. I created a strong password and can login, but only to the customer site, when I try to login to the contributor site, the new password doesn't work. I can use the old password, which prompts me to change the password, and the whole process starts again.

I've been round and round in circles since yesterday, and now I'm waiting for support to get back to me.
Title: Re: Security breach - change your password
Post by: trabuco on November 16, 2020, 02:20
Same here.
Title: Re: Security breach - change your password
Post by: enstoker on November 16, 2020, 07:40
Now is OK.
Title: Re: Security breach - change your password
Post by: DallasP on November 16, 2020, 14:25
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!

There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.

If it's online, it's prone to hacking. This sort of thing happens constantly - it would be difficult to prosecute and would discourage service providers from doing ANYTHING when a breach did happen for fear that they'd be prosecuted. They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.

I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.
Title: Re: Security breach - change your password
Post by: PZF on November 17, 2020, 06:21
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!
Title: Re: Security breach - change your password
Post by: gnirtS on November 17, 2020, 12:26
They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.

I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.

They say MD5 but no idea if salted or not which makes a difference.  Ultimately if its not a password susceptible to dictionary attacks, IF the hashing is properly implemented its no problem.  But in so many cases it turns out the implementation was useless.

ICO in the UK regularly prosecutes and fines private companies for failing to secure data (although seems the government is exempt...).  Look at TalkTalk, British Airways etc.
Title: Re: Security breach - change your password
Post by: cathyslife on November 17, 2020, 15:25
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!

Yep, changed mine a couple days ago after first email. Got another email today. I only kept the account open because I was buying images for clients’ work. Don’t need it anymore, don’t contribute, will prolly just have them close it.
Title: Re: Security breach - change your password
Post by: HalfFull on November 18, 2020, 03:35
Interesting... when I went to their website they advised of a "Security Policy Change" and I had to update my password!

Damage limitation in action?!? Truth or... lying to their contributors to cover up their failing systems?!?
Title: Re: Security breach - change your password
Post by: PZF on December 01, 2020, 06:00
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?
Title: Re: Security breach - change your password
Post by: Asthebelltolls on December 01, 2020, 11:39
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?

Yup. Me too.
Title: Re: Security breach - change your password
Post by: roboz on December 10, 2020, 22:39
Hi Everyone,

I can't login to my account for weeks now, due to a 'Security Upgrade'. I've been asked to renew my password following the instructions sent to my email account. But neither do I receive any message or link nor does the support team is responding to my mails asking to solve this problem.

Am I the only one?

Rob
Title: Re: Security breach - change your password
Post by: uvox4 on January 21, 2021, 14:50
I have left this site but just found out that I was affected. I never received a email. I assume because I was no longer with them. I missed this thread.

Just be aware even if you left before the hack you will be compromised.