This morning, I received an email from 500px requiring that I change my password after they became aware of a “security issue” on the site on Friday 8th February. This might sound like 500px is jumping on the issue quickly, however, the breach actually happened way back on July 5th, 2018. After detecting the breach, 500px says that they “immediately launched a comprehensive review of our systems” to figure out exactly what happened and what the impact was. They say that have been working with third-party security experts and are coordinating with law enforcement authorities.

The email explains what happened…

While the email said that there is no indication that there was unauthorised access to my account, it does say that users with passwords that haven’t been changed since October 2012 may be “reverse-engineered”, giving somebody access to your account, hence the forced password change. Presumably by “reverse-engineered” it’s some form of basic one-way encryption like MD5 hashing, and they’re talking about a brute force attack to figure out what those older passwords are. On February 8, 2019, our engineering team became aware of a potential security issue affecting certain user profile data. We immediately launched a comprehensive review of our systems to understand the nature and scope of the issue. We engaged a third-party expert to assist us in our investigation and are coordinating with law enforcement authorities on this matter. Based on our investigation to date, we believe that an unauthorized party gained access to our systems and acquired partial user data on approximately July 5, 2018. We’ve concluded this issue affected certain information that users provided when filling out their user profiles, as listed below. Our engineers are closely monitoring our platform and we’ve found no evidence to date of any recurrence of this issue. What personal data may have been affected?

Your first and last name as entered on 500pxYour 500px usernameThe email address associated with your 500px loginA hash of your password, which is hashed using a one-way cryptographic algorithmYour city, state/province, country, if providedYour birth date, if providedYour gender, if provided

At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information. 500px says that in response, they have already reset passwords, requiring users to create another to gain access to their accounts. They say that they have also “vetted access” to their servers, databases and sensitive data-storage services, and that they are monitoring both the public and internal source code to keep an eye out for further exploits with the assistance of cybersecurity experts to beef up the security of their website, mobile apps, and internal systems. They don’t say whether this was a public attack against 500px from across the web or an attack from within, through associations with other services. In addition, if you have not changed your password on 500px since October 2012, there is a risk that your hashed password could be reverse-engineered to allow an unauthorized party to compromise your 500px account. The sections below provide information on the steps taken to protect your account, as well as further instructions for you.