Cyber Incident Victim: Pixlr
Date:
Dec 2020
Location:
United States of America
Summary
A threat actor known as ShinyHunters leaked approximately 1.9 million user records from an online photo editing service after compromising its parent company's AWS bucket. The exposed data included email addresses, login credentials stored with SHA-512 hashing, country information, newsletter subscription status, and internal account details. The breach reportedly occurred during an intrusion targeting another subsidiary under the same corporate umbrella. ShinyHunters distributed the database freely on a hacker forum, enabling malicious activities such as credential stuffing and targeted phishing campaigns. Security researchers verified the authenticity of portions of the dataset, confirming legitimate user information was compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2020, a threat actor known as ShinyHunters breached the systems of Inmagine, the parent company of Pixlr and 123rf, accessing a database stored in an AWS bucket. ShinyHunters, a hacker with a documented history of compromising organizations including Tokopedia, Homechef, and Wattpad, exfiltrated 1,921,141 user records from Pixlr, an online photo editing service offering both free and premium features. The stolen data included email addresses, login names, SHA-512 hashed passwords, country information, newsletter subscription status, and internal operational metadata. On an unspecified date shortly before January 20, 2021, ShinyHunters publicly leaked the entire database for free on a hacker forum, explicitly linking the breach to his prior compromise of 123rf's infrastructure. The actor claimed the data was extracted from Inmagine's cloud storage at the end of 2020. Forum participants, including other threat actors, acknowledged the leak's potential utility for credential stuffing and targeted phishing campaigns due to the volume and sensitivity of the exposed information.
BleepingComputer independently verified the authenticity of numerous email addresses within the leaked database as active Pixlr user accounts, confirming the breach's legitimacy. The incident exposed nearly two million users globally to heightened risks of account takeover and identity-based attacks, exacerbated by the inclusion of password hashes—though cryptographically strong—that could theoretically be cracked through determined brute-force efforts. No evidence suggested financial data or payment information was compromised. Pixlr's parent company did not issue public statements or acknowledge the breach despite media inquiries, leaving uncertainty regarding containment measures or system remediation. The lack of confirmed response actions contrasted with security researchers' confirmation of the dataset's validity, establishing the event as an operational security failure with measurable consequences for user privacy. The breach's impact extended beyond immediate data exposure due to Pixlr's market position as a widely adopted alternative to professional photo editing software, amplifying the potential scale of downstream credential reuse attacks across other platforms.