pancakes

MicrostockGroup Sponsors


Author Topic: Security breach - change your password  (Read 11632 times)

0 Members and 1 Guest are viewing this topic.

« on: November 14, 2020, 16:16 »
+1
Quote
Dear 123RF member,

I am writing to you that an alleged data breach involving some of our members account information may have recently occurred on 123RF.com.

We learned about the suspected data breach on November 10, 2020 and upon extensive internal inquiries we believe that your username, email, password (in encrypted form) and other account related details may have been compromised at this point of time.

Please be rest assured, we can confirm that the alleged data breach does not include any credit card, Paypal, Skrill, Ideal or any other bank details as we do not store such information.

However, in line with good security practices and to ensure the highest level of protection to your account, we advise you to change your password. You can set a new password by clicking here or when you next try to log into your account at 123RF an email will be sent to you to start the process.

Please be assured that 123RF is now secure as we have incorporated additional security measures such as stronger password requirements and last logged in location detection to secure your account better. We also undertake to work with the relevant authorities and organization and will fully cooperate with their investigations as we continue to safeguard your data.

We are deeply sorry for the inconvenience and concern this may have caused you. At 123RF, we are committed to build a creative platform that promotes creativity and entrepreneurship. Over the years, we have been making upgrades and improvements, including the recent added creative tools that allows users to have a seamless creative journey within the site. We will continue to champion this idea and thank you for your support all this time.


Stephanie Sitt
CEO


« Reply #1 on: November 15, 2020, 00:19 »
0
"Have I been pawned" website  also sent a notification (I'm a subscriber) with clear information - the email from 123RF is rather wishy-washy.

According to Have I Been Pawned the breach happened in March 2020.



Email found:   xxxxxxxxxxxxx
Breach:   123RF
Date of breach:   22 Mar 2020
Number of accounts:   8,661,578
Compromised data:   Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Description:   In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com."
« Last Edit: November 15, 2020, 00:52 by ravens »

« Reply #2 on: November 15, 2020, 02:02 »
+1
Maybe this explain the SPAM I receive since September on the email address I use for 123RF.

« Reply #3 on: November 15, 2020, 04:22 »
+4
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!

There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.
To be honest, they have gone downhill so much in the last few years, its probably a lack of money. I should really just give up with them.
If this has happened once, then they probably wont be regularly 'on the ball' with system security.

« Last Edit: November 15, 2020, 06:48 by BigLeague »

JetCityImage

« Reply #4 on: November 15, 2020, 06:57 »
0
I received the same eMail, but didn't use the link they sent to reset my password - I went directly to the 123 website and clicked reset password from there. It's all very suspicious and it is getting more difficult to just do a regular login.

« Reply #5 on: November 15, 2020, 07:31 »
+1
Another incident highlighting why nobody should reuse passwords....

Why . none of these sites offer 2 factor authentication i'll never know...

Quote
There seems to be no penalty for these companies allowing hacks to happen,

Depends where they're located in the world.  In the UK that would be an ICO breach and automatic fine relative to earnings.
« Last Edit: November 15, 2020, 07:42 by gnirtS »

THP Creative

  • THP Creative

« Reply #6 on: November 15, 2020, 09:40 »
0
I never received the email, so I appreciate seeing this posted here.

I had to reset my password on my last login and wondered what had caused it.

« Reply #7 on: November 15, 2020, 10:44 »
+2
I got it and changed my password. Now I get an endless parade of recaptcha crap and can never get to the site. As far as I'm concerned recaptha is the worst thing that ever happened to the web. Other than animated gifs

« Reply #8 on: November 15, 2020, 10:59 »
0
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable (it's clickable at the beginning, but when I start typing new password it becomes unclickable), so I can't change password nor can I login because old password doesn't work. I wonder, if I'll get the payout which I should this month.Anyone else scheduled to receive payment this month and, did you received it yet?

« Reply #9 on: November 15, 2020, 11:16 »
0
I got the same e-mail. The problem is, when I try to reset password the "Change password" button with yellow tab is unclickable

Make sure the new password you type meets all the requirements, then tab to the next field.  It took me a couple of tries before the button activated.

« Reply #10 on: November 15, 2020, 11:39 »
+1
I did, I put just random letters (upper case also), special characters and numbers still nothing. I tried iexplorer, same thing.

Ok, nevermind, I got it. I used "-" character and apparently that wasn't good enought, now I tried "@" and it works.

Logged in. No sales. Logged out.
« Last Edit: November 15, 2020, 11:43 by Dumc »

« Reply #11 on: November 15, 2020, 14:44 »
0
I tried to login before I got the email, and received a security notice requesting me to change my email. I created a strong password and can login, but only to the customer site, when I try to login to the contributor site, the new password doesn't work. I can use the old password, which prompts me to change the password, and the whole process starts again.

I've been round and round in circles since yesterday, and now I'm waiting for support to get back to me.
« Last Edit: November 16, 2020, 04:26 by KuriousKat »

« Reply #12 on: November 16, 2020, 02:20 »
0
Same here.

« Reply #13 on: November 16, 2020, 07:40 »
0
Now is OK.

« Reply #14 on: November 16, 2020, 14:25 »
0
I also got the emails from 123 and pwned,
"Please be assured that 123RF is now secure " oh great, NOW its secure, what was it before???!!!!

There seems to be no penalty for these companies allowing hacks to happen, clearly they could have stopped it beforehand, because NOW they have fixed it. Who knows how it happened? could have been a hack, or an internal employee leaking the data, or weak systems.
But its just 'oh were sorry" now weve fixed it. It should be investigated and if found to be a company failure to protect our data, they should be fined.

If it's online, it's prone to hacking. This sort of thing happens constantly - it would be difficult to prosecute and would discourage service providers from doing ANYTHING when a breach did happen for fear that they'd be prosecuted. They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.

I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.

PZF

« Reply #15 on: November 17, 2020, 06:21 »
+2
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!

« Reply #16 on: November 17, 2020, 12:26 »
0
They did the right thing only storing them as MD5 really ... the hash still has to be brute-forced to figure out the password, which is a slow process. So ... now your contact info is out there, like it wasn't already.

I almost enjoy when these things happen, even when it's my own account. These gentle reminders are good to change passwords and to not use the same one for everything.

They say MD5 but no idea if salted or not which makes a difference.  Ultimately if its not a password susceptible to dictionary attacks, IF the hashing is properly implemented its no problem.  But in so many cases it turns out the implementation was useless.

ICO in the UK regularly prosecutes and fines private companies for failing to secure data (although seems the government is exempt...).  Look at TalkTalk, British Airways etc.

« Reply #17 on: November 17, 2020, 15:25 »
0
Been there. Changed password. Yesterday or the day before.
This morning another email, same text as before.
I'm guessing it's just a fouled up system and not that they have been hacked...again!

Yep, changed mine a couple days ago after first email. Got another email today. I only kept the account open because I was buying images for clients work. Dont need it anymore, dont contribute, will prolly just have them close it.

« Reply #18 on: November 18, 2020, 03:35 »
0
Interesting... when I went to their website they advised of a "Security Policy Change" and I had to update my password!

Damage limitation in action?!? Truth or... lying to their contributors to cover up their failing systems?!?

PZF

« Reply #19 on: December 01, 2020, 06:00 »
0
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?

« Reply #20 on: December 01, 2020, 11:39 »
+1
Can't log in at all today. After a dozen Captcha things I have given up. Twice. Anybody else got this?

Yup. Me too.

« Reply #21 on: December 10, 2020, 22:39 »
0
Hi Everyone,

I can't login to my account for weeks now, due to a 'Security Upgrade'. I've been asked to renew my password following the instructions sent to my email account. But neither do I receive any message or link nor does the support team is responding to my mails asking to solve this problem.

Am I the only one?

Rob

« Reply #22 on: January 21, 2021, 14:50 »
0
I have left this site but just found out that I was affected. I never received a email. I assume because I was no longer with them. I missed this thread.

Just be aware even if you left before the hack you will be compromised.



 

Related Topics

  Subject / Started by Replies Last post
4 Replies
3497 Views
Last post August 21, 2012, 09:28
by hjalmeida
11 Replies
5789 Views
Last post November 16, 2013, 12:51
by scottdunlap
2 Replies
3429 Views
Last post June 10, 2015, 13:12
by SLStudios
7 Replies
3540 Views
Last post July 14, 2015, 03:30
by MichaelUtech
12 Replies
8580 Views
Last post June 13, 2019, 07:36
by EO

Sponsors

Mega Bundle of 5,900+ Professional Lightroom Presets

Microstock Poll Results

Sponsors