The target: Pixlr, a popular, free online photo editing application.
The take: 1.9 million user records of personally identifiable information including: email addresses, login names, hashed password, and user’s county of origin.
The attack vector: The breach occurred when an AWS storage bucket was left unsecured and online by Pixlr’s parent company, Inmagine. This allowed the attacker to download a copy of the data and then post it on a public hacking forum, vastly increasing the negative area of effect for the compromised users.
This leak shows the negative and cascading effects a breach can have, not only in the personal or financial risk to the user, but in how far the stolen data can be distributed to malicious actors. Robust password controls and user authentication are critical to maintain data integrity and confidentiality. In addition, this breach highlights the importance of protecting against credential stuffing attacks by using strong, unique passwords which are not shared among logins - a security strategy recommended to every firm.