Royalty-Free Image Site ‘123RF’ Had a Massive Data Breach

  • ‘123RF.com’ was breached by hackers at an unconfirmed time, losing millions of user records.
  • The user details are now sold on Russian-speaking forums and include a rich set of sensitive information.
  • The exposed users shouldn’t have shared all that data with a website of this kind.

The royalty-free image site “123RF.com” is sending out notifications of a breach to its users after a huge database containing 8,500,246 user records belonging to the platform has appeared on a Russian-speaking dark web forum. The 3GB SQL database was exfiltrated by the actors at an unknown and still unconfirmed time, but the entries range from 2006 to March 2020, so it must be around that time. 123RF only got to see samples of that data, and it appears to be valid.

The type of data that is included in the records are:

  • User IDs
  • Full names
  • Location data (city, state, street address, postcode)
  • Phone numbers
  • IP addresses
  • Email addresses used to log into 123RF.com
  • Email addresses used to log into PayPal
  • Email addresses used to log into Facebook
  • User Facebook IDs
  • Account passwords (MD5 hashed)
Source: CyberNews

The risks of having the above exposed include falling victim to phishing attacks, scamming, identity theft, spamming, credential stuffing, and vulnerability exploitation. Unfortunately, there’s too much to be found in the database, which makes us wonder why a royalty-free website would need all this user information in the first place.

If you have created an account in 123RF, you should immediately reset your passwords on the associated platforms (PayPal, Facebook) and also enable two-factor authentication. Ideally, you should use a different phone number than the one exposed in this security incident to eliminate the chances of being targeted by SIM swappers.

123RF believes that the 2020 entries are fake to make the data appear more recent and thus more valuable. They think that the database is actually one year old, but this isn’t very reassuring anyway.

Victims may have already received phishing emails and SMS or approached by strangers who know stuff about them on Facebook. Beware of these possibilities, as the latter is particularly nasty. Someone can set up a Facebook account using a name that is familiar to you, so don’t jump to conclusions. Instead, scrutinize new friend requests and incoming communications.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari