A threat actor released 1.9 million stolen user credentials belonging to the online photo editing application Pixlr. The online image editor offers basic image manipulation tools for free and a premium subscription with advanced features, including stock photos and tools rivaling the well-known professional photo editor Photoshop. The incident was associated with the hacking group ShinyHunters, responsible for numerous high-profile breaches in the past.
ShinyHunters hacking group releases Pixlr stolen user credentials for free on a hacker forum
The cybercrime gang released the Pixlr stolen user credentials for free on an English-speaking hacker forum. The threat actor said that they accessed the data while hacking the sister stock photo site 123rf. Inmagine owns both Pixlr and 123rf sites.
According to the threat intelligence firm KELA, the stolen user credentials were also part of a larger leak affecting multiple sites whose data was published for free on hacking forums.
The released database contained 1,921,141 user records consisting of email addresses, login names, SHA-512 hashed passwords, residence country, a flag indicating whether the user signed up for the newsletter, among other details.
Although the company has not responded to the data breach, BleepingComputer confirmed that the leaked stolen user credentials were authentic. Thus, most users are unaware that their data was compromised and are, therefore, more vulnerable to phishing attacks.
Other threat actors were impressed by the hacking group’s generosity and thanked ShinyHunters for releasing the stolen user credentials for free.
Hacking group one of the most recognizable threat actors
The hacking group is responsible for several high-profile breaches, including HomeChef, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, Tokopedia, Wappalyzer, TeeSpring Inc., Bonobos, Wishbone, Heavenly, among others.
The hacking group also stole Microsoft’s 500 GB of source code from its private GitHub account in May 2020. ShinyHunters was also responsible for stealing 46 million records from the online children’s virtual gaming platform Animal Jam.
The hacking group is one of the most recognizable threat actors in the cybercrime world. Releasing the stolen user credentials freely in the underground black market earns the hacking group more “street cred,” making it easier for the group to sell leaked data in the future.
The hacking group disclosed that the stolen user records originated from Inmagine’s AWS bucket breached in late 2020. It’s not clear how the ShinyHunters breached the company’s S3 bucket, although the group is known for employing ingenious methods to compromise previous victims.
In July 2020, ShinyHunters hacking group breached the financial services provider Dave through WayDev Git analytics platform.
It is also likely that the breach stemmed from a misconfigured S3 bucket, a leading cause of data breaches on cloud platforms.
Cybersecurity experts react
Pravin Rasiah, VP of Product at CloudSphere, believes that a security faux pas on the Amazon cloud platform was to blame.
“Improperly secured AWS S3 buckets are one of the leading causes of data breaches due to misconfiguration,” says Rasiah. “The chances of leaving an S3 bucket exposed are all too high, as inexperienced users can simply choose the “all users” access option, making the bucket publicly accessible. Leaving these S3 buckets open and exposed invites hackers to exploit the personal data entrusted to companies by their customers.”
Rasiah says that organizations should “invest in a cloud governance platform that provides holistic, real-time observability into the cloud landscape to stay apprised of abnormalities while ensuring that data is secure.”
He believes the comprehensive visibility could allow businesses to address security weaknesses before being exploited by threat actors such as ShinyHunters.
Although user passwords were hashed and not directly usable, the victims are at risk of targeted phishing and credential stuffing attacks.
“It doesn’t take much for bad actors to cross-reference the compromised data with previously breached records and create accurate profiles of the breach victims,” says Nathanael Coffing, CSO at CloudEntity. “Hackers already have access to previously stolen data on the dark web, which allows them to easily weaponize this free information for their own malicious gain and target users’ financial or healthcare information.”
Coffing says that organizations must implement strong user authorization measures to protect databases from future breaches.
“To ensure sensitive information is safeguarded, enterprises must implement continuous contextual, fine-grained authorization on the API level, in addition to multi-factor authentication (MFA),” Coffing adds. “By taking these proactive measures to authenticate users and protect their data, organizations can avoid data breaches and the negative consequences that come along with them.”
The affected users should also change their passwords on Pixlr and other sites where they reused the password. Using a strong password and a password manager is highly recommended to reduce the threat actors’ chances and subsequent cyber criminals from breaching their accounts.
Responding to Pixlr stolen user credentials, Saryu Nayyar, CEO at Gurucul, says:
“While the revelation of details on almost two million Pixlr user accounts did not include financial information, it did include password hashes and enough information to be valuable for an attacker to launch carefully crafted spear-phishing attacks or a cast-netting attack against the Pixlr user base.”
Anurag Kahol, CTO at Bitglass, says having millions of stolen user credentials circulating on the dark web put users at risk of identity theft.
“Additionally, it’s concerning that login credentials were included amongst the compromised information, particularly because reusing passwords across multiple accounts is a common and unsafe practice. This means that if a cybercriminal gains access to a user’s password, she or he can potentially use it to gain access to other accounts belonging to that user across multiple services.”
Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group notes that hackers could sometimes decrypt hashed passwords. He advised the victims to be on the lookout for possible phishing attacks, warning them to avoid blindly clicking on links sent via email.