Royalty-Free Image Site ‘123RF’ Had a Massive Data Breach

  • ‘’ was breached by hackers at an unconfirmed time, losing millions of user records.
  • The user details are now sold on Russian-speaking forums and include a rich set of sensitive information.
  • The exposed users shouldn’t have shared all that data with a website of this kind.

The royalty-free image site “” is sending out notifications of a breach to its users after a huge database containing 8,500,246 user records belonging to the platform has appeared on a Russian-speaking dark web forum. The 3GB SQL database was exfiltrated by the actors at an unknown and still unconfirmed time, but the entries range from 2006 to March 2020, so it must be around that time. 123RF only got to see samples of that data, and it appears to be valid.

The type of data that is included in the records are:

  • User IDs
  • Full names
  • Location data (city, state, street address, postcode)
  • Phone numbers
  • IP addresses
  • Email addresses used to log into
  • Email addresses used to log into PayPal
  • Email addresses used to log into Facebook
  • User Facebook IDs
  • Account passwords (MD5 hashed)
Source: CyberNews

The risks of having the above exposed include falling victim to phishing attacks, scamming, identity theft, spamming, credential stuffing, and vulnerability exploitation. Unfortunately, there’s too much to be found in the database, which makes us wonder why a royalty-free website would need all this user information in the first place.

If you have created an account in 123RF, you should immediately reset your passwords on the associated platforms (PayPal, Facebook) and also enable two-factor authentication. Ideally, you should use a different phone number than the one exposed in this security incident to eliminate the chances of being targeted by SIM swappers.

123RF believes that the 2020 entries are fake to make the data appear more recent and thus more valuable. They think that the database is actually one year old, but this isn’t very reassuring anyway.

Victims may have already received phishing emails and SMS or approached by strangers who know stuff about them on Facebook. Beware of these possibilities, as the latter is particularly nasty. Someone can set up a Facebook account using a name that is familiar to you, so don’t jump to conclusions. Instead, scrutinize new friend requests and incoming communications.

US Darts Masters 2023 Live Stream: How to Watch Online from Anywhere
The tension is palpable, and the excitement is high ahead of what promises to be another captivating edition of the US Darts...
Spanish Grand Prix Live Stream 2023: How to Watch Formula 1 Online from Anywhere
The thrills of the 2023 Formula 1 season continue this weekend with the Spanish Grand Prix. Another blistering race lies in store...
How to Watch Love ALLways Online: Stream LGBTQ+ Dating Show from Anywhere
Love ALLways is a new reality TV dating show, and we have all the important details you may be searching for, including...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari