Flickr warns of data breach

Names and email addresses of 35 million members at risk

Photo-sharing website Flickr has sent out emails alerting its millions of users to a potential data breach.

In an email that was sent on 6^th February, the company says it was “alerted” to a vulnerability in an email service providers’ system on 5^th February, which “may have allowed unauthorised access to some Flickr member information.”

About 35 million people use Flickr, which hosts more than 28 billion images, every month, so even a potential breach is a big deal.

We do not yet know how many of those users might have been affected, but Flickr is advising all of them to stay vigilant.

The company’s email says payment information and passwords were not affected, but persona data could have been “depending on your account.” It does not clarify what this means.

The following information appears to have been at risk:

• Users’ names and email addresses
• Flickr usernames and account type
• IP addresses and general location
• Activity on Flickr

This would certainly count as personal data under the GDPR and similar legislation, so regulators may get involved. Flickr notes that it has informed “the relevant data protection authorities.”

Jake Moore, global cybersecurity advisor at ESET, noted that even if passwords were not affected, “the exposure of names and email addresses alone still matters because it can still lower the barrier for phishing and impersonation scams... Attackers thrive on small pieces of trusted information, whilst incidents like this show how third-party services can often be the key to accessing it.”

In response to the potential breach, Flickr disabled access to the affected system and removed all links to the vulnerable endpoint, as well as demanding a full investigation from the service provider.

The investigation is ongoing.