A threat actor released 1.9 million stolen user credentials belonging to the online photo editing app Pixlr. The online image editor offers basic image manipulation tools for free and a premium subscription with advanced features, including stock photos and tools that rival the well-known professional photo editor Photoshop. The incident was associated with the ShinyHunters hacking group, responsible for numerous high-profile breaches in the past.
ShinyHunters hacking group publishes stolen Pixlr user credentials for free on a hacker forum
The cybercrime ring released Pixlr’s stolen user credentials for free on an English-speaking hacker forum. The threat actor said they accessed the data while hacking the sister archive photo site 123rf. Inmagine owns the Pixlr and 123rf sites.
According to the threat intelligence firm KELA, the stolen user credentials were also part of a larger leak that affected several sites whose data was posted for free on hacking forums.
The published database contained 1,921,141 user records consisting of email addresses, login names, SHA-512 hashed passwords, country of residence, a flag indicating whether the user subscribed to the newsletter, among other details.
Although the company has not responded to the data breach, BleepingComputer confirmed that the stolen and leaked user credentials were authentic. Hence, most of the users are unaware that their data was compromised and are therefore more vulnerable to phishing attacks.
Other threat actors were impressed by the hacking group’s generosity and thanked ShinyHunters for releasing the stolen user credentials for free.
Hacking group one of the most recognizable threat actors
The hacking group is responsible for several high-profile breaches, including HomeChef, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, Tokopedia, Wappalyzer, TeeSpring Inc., Bonobos, Wishbone, Heavenly, among others.
The hacking group also stole Microsoft’s 500 GB of source code from its private GitHub account in May 2020. ShinyHunters was also responsible for stealing 46 million records from online children’s virtual game platform Animal Jam.
The hacker group is one of the most recognizable threat actors in the cybercrime world. Releasing freely stolen user credentials on the clandestine black market gives the hacking group more “street cred”, making it easier for the group to sell leaked data in the future.
The hacker group revealed that the stolen user records originated from the breached Inmagine AWS group in late 2020. It is unclear how the ShinyHunters broke the company’s S3 group, although the group is known to employ ingenious methods to compromising previous victims.
In July 2020, the ShinyHunters hacking group breached financial services provider Dave via analytics platform WayDev Git.
The violation is also likely due to a misconfigured S3 bucket, one of the leading causes of data breaches on cloud platforms.
Cybersecurity experts react
Pravin Rasiah, vice president of product at CloudSphere, believes a security misstep on Amazon’s cloud platform was to blame.
“Badly secured AWS S3 buckets are a leading cause of data breaches due to misconfiguration,” says Rasiah. “The chances of leaving an S3 bucket exposed are too high, as inexperienced users can simply choose the ‘all users’ access option, making the bucket publicly accessible. Leaving these S3 repositories open and exposed invites hackers to exploit the personal data entrusted to companies by their customers. “
Rasiah says that organizations should “invest in a cloud governance platform that provides holistic, real-time observability across the cloud landscape to stay on top of anomalies and ensure data security.”
He believes that end-to-end visibility could allow companies to address security weaknesses before they are exploited by threat actors like ShinyHunters.
Although user passwords are hashed and cannot be used directly, victims are at risk of targeted phishing and credential stuffing attacks.
“It doesn’t take much for bad actors to cross-reference compromised data with previously breached records and create accurate profiles of breach victims,” says Nathanael Coffing, CSO at CloudEntity. “Hackers already have access to previously stolen data on the dark web, allowing them to easily use this free information for their own malicious gain and target users’ financial or health information.”
Coffing says organizations must implement strong user authorization measures to protect databases from future breaches.
“To ensure sensitive information is protected, companies must implement continuous granular and contextual authorization at the API level, in addition to multi-factor authentication (MFA),” adds Coffing. “By taking these proactive steps to authenticate users and protect their data, organizations can prevent data breaches and the negative consequences that accompany them.”
Affected users must also change their passwords on Pixlr and other sites where they reused the password. Using a strong password and password manager is strongly recommended to reduce the chances of subsequent threat actors and cybercriminals to breach your accounts.
Responding to Pixlr’s stolen user credentials, Saryu Nayyar, CEO of Gurucul, says:
“While the disclosure of details on nearly two million Pixlr user accounts did not include financial information, it did include password hashes and enough information for an attacker to launch carefully designed phishing attacks or a broadcast network attack against Pixlr. base user. “
Anurag Kahol, CTO of Bitglass, says that having millions of stolen user credentials circulating on the dark web puts users at risk of identity theft.
“Additionally, it is concerning that login credentials are included among the compromised information, particularly since password reuse across multiple accounts is a common and insecure practice. This means that if a cybercriminal gains access to a user’s password, they can potentially use it to gain access to other accounts that belong to that user across multiple services.
Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group notes that hackers can sometimes crack hashed passwords. He advised victims to be on the lookout for potential phishing attacks, warning them to avoid blindly clicking on links sent by email.
The ShinyHunters hacking group released 1.9 million stolen Pixlr user credentials for free on the #hacker forum. #cybersecurity #respectdata
It is frustrating that most victims of the Pixlr cyber attack are unaware that their user credentials have been breached and are likely to remain complacent about the potential risks.