123RF data breach: Hacker steals 8.3m user records from internal server

A hacker recently stole over 8.3 million user data records from popular stock photos and vectors site 123RF after breaching a server owned by its parent company Immagine Group that stored the personal information and IP addresses of registered users.

123RF is among the largest online repositories of stock photos, audio, videos, and other royalty-free content, boasting over 12 million monthly active users, daily content contributed by around 300,000 artists, and offering over 110 million creative works to online users worldwide.

This Thursday, Bleeping Computer reported that a known data breach broker was found on a hacker forum selling a massive 123RF database that contained over 8.3 million records. The broker shared a sample of the database that revealed the database contained personal data such as the names, phone numbers, addresses, email addresses, IP addresses, and MD5 hashed passwords of 123RF's users.

When contacted by the news site, Immagine Group, the company that owns 123RF, admitted to suffering the massive data breach, stating that a hacker was able to gain access to user records after breaching a server located at their data centre.

"We are actively notifying the necessary authorities and 123RF.com members to work with them to remedy the situation. We are also tightening the security policies to include tighter passwords and IP detection to combat suspicious log-ins."

"Our security infrastructure is always under a constant state of security testing, penetration, and development, especially in the past year. We wish to reiterate that we take the privacy and data of our customers seriously and have at all times been vigilant with the handling of our customer’s data," the company said in an email.

Despite the company's claims, Bleeping Computer found that user passwords stored in the compromised database were encrypted using the MD5 algorithm that hackers can easily break using publicly-available tools. The site was able to easily retrieve the plain-text passwords for numerous accounts using online MD5 cracking tools.

Commenting on 123RF using MD5 to secure user passwords, Boris Cipot, senior security engineer at Synopsys, said it is unfortunate that MD5 was used as the hashing algorithm as MD5 is not the strongest algorithm to protect sensitive data as it is relatively simple to retrieve clear text passwords using online dehashing sites.

"As such, potentially affected users need to change their 123RF password as soon as possible. If the same password is used for any other services, those should be changed as well," he added.

The ease at which hackers are regularly gaining access to corporate servers and stealing vast bundles of user data has shocked governments as well as privacy-conscious Internet users across the world. Despite the arrival of stringent data protection laws, the availability of advanced cyber security solutions, and greater awareness of cyber threats, many companies are still found wanting when it comes to securing the data they hold and process from malicious actors.

Earlier this week, it came to light that a hacker was able to steal over 46 million user accounts associated with popular children's online playground Animal Jam after breaching a database owned by gaming company WildWorks.

WildWorks said the data breach most probably occurred between 10th and 12th October but the company came to know about the incident this Wednesday after security researchers found the stolen Animal Jam data when monitoring raidforums.com, a public hacker forum. You can read more about the incident here.

Copyright Lyonsdown Limited 2020