Security Issue February 2019: FAQ

For multi language FAQ's, click here

UPDATED: Feb. 13, 2019, 11 a.m. EST

What happened?

On February 8, 2019, our engineering team became aware of a potential security issue affecting certain user profile data. We immediately launched a comprehensive review of our systems to understand the nature and scope of the issue. We engaged a third-party expert to assist us in our investigation and are coordinating with law enforcement authorities on this matter.  

Based on our investigation to date, we believe that an unauthorized party gained access to our systems and acquired partial user data on approximately July 5, 2018. We’ve concluded this issue affected certain information that users provided when filling out their user profiles, as listed below. Our engineers are closely monitoring our platform and we’ve found no evidence to date of any recurrence of this issue.

As a precaution, we are resetting all users’ 500px account passwords. A notification email will provide instructions to affected data subjects on how to reset their passwords.

A system-wide password reset is currently underway for all users, prioritized in order of potential risk, and we have already forced a reset of all MD5-encrypted passwords.

What type of user data was affected?

  • Your first and last name as entered on 500px
  • Your 500px username
  • The email address associated with your 500px login
  • A hash of your password, which was hashed using a one-way cryptographic algorithm
  • Your birth date, if provided
  • Your city, state/province, country, if provided
  • Your gender, if provided

How do I know if I was affected?

If you were a 500px user on or prior to July 5, 2018, you have been affected.

We are in the process of notifying all users via email as well as onsite and with mobile notifications, however, given the volume of users affected, there may be delays in the notifications you receive.

Regardless of whether or not you were directly affected, given the nature of the personal data involved, we are alerting you to this matter so you can take steps to help protect yourself against the risk of phishing, spam, and other misuse of your information as a result of this issue. We recommend you change your password on any other website or app on which you use apassword that is the same as or similar to your password for your 500px account.

I’m unable to reset my password. What do I do?

Click here for steps to assist in resetting your password. 

I haven’t received an email to reset my password yet.

We are currently working on notifying our entire user base, prioritized by potential risk. However, given the amount of users affected, this task will span one day at minimum. Users may receive the email notification that includes a prompt to reset their password at different times. If you have not yet received the email, we encourage you to reset your password if you haven’t already.

If you have marked emails from 500px as spam in the past, you may not receive the notification email. Unfortunately, this is not an issue we can correct on our side (to ensure our users don't receive emails that they view as spam). Instead, you will need to whitelist emails from 500px.com to receive them again with your email service provider. The process may be different depending on which email provider you use.

I’ve already reset my password. Do I need to do it again?

If you reset your password after 3 a.m. EST on Feb. 12, you do not need to reset it again. However, if you would like to, you can reset your password here.

When did you first learn of the security issue?

On February 8, our engineering team learned of a potential security issue and began investigating right away.  

What have you done to fix this?

  • Given the nature of the personal data involved, we have already forced a reset of all MD5-encrypted passwords, and a system-wide password reset is underway.
  • We have vetted access to our servers, databases, and other sensitive data-storage services.
  • We have and are continuing to monitor our source code, both public-facing and internal, to protect against security issues.
  • We are partnering with leading experts in cyber security to further secure our website, mobile apps, internal systems, and security processes.
  • We are modifying our internal software development process.
  • We are continuing to upgrade our network infrastructure.

If you learned about the breach on Feb. 8, why am I just hearing about it now?

It was important that we were able to ensure we provide our users with accurate information before confirming the details of the breach. Given the nature of the personal data involved, our primary concerns, and hence our activities in order of priority, were to ensure:

1) that our system was secured;
2) our users’ data was secured from further breaches and unauthorized access of the accounts;
3) that accurate information was being conveyed to our users, followed by public communication.

We are currently working on notifying our entire user base, prioritized by potential risk. However, given the amount of users affected, this task will span one day at minimum. Although this breach does not affect users that registered after July 5, 2018, we want to take every possible precaution to ensure the security of our users.

What data wasn’t taken?

At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information.

Have you alerted law enforcement?
We have alerted law enforcement, in addition to retaining a security firm to assist us in the investigation and next steps.

How can we trust this won’t happen again?

Going forward, we will continue to enhance our security measures to help keep your data safe and we are implementing additional measures to help prevent this type of incident from reoccurring.

We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security.

If I logged in with a social account (Google+, Facebook), do you still have my password?

As a user signing in from an external social platform, you can still enter a password with us, but we do not store your Google+, Facebook, or social sign-in passwords.  When you log in via a social account, we receive a session token that is stored on our servers. When the session token expires, we ask you to login via your social account to give us a new token each time.

What happened to my 500px Lightroom plugin?

The 500px Lightroom plugin is no longer supported by the 500px team. During the site-wide password reset, many users who previously had access to our Lightroom plugin were no longer able to access it after updating their password. At 500px, the safety and protection of our user data is a top priority—which means you will no longer be able to access the unsupported Lightroom plugin, and we have removed the ability to download it from our site. We caution against using the 500px Lightroom plugin or downloading it from any other sites, as it has been deprecated.

If you are using Lightroom going forward, it is recommended that images are exported and uploaded to your 500px profile manually.

I want to delete my 500px account.

Keep in mind, deleting your 500px account does not affect whether your information has been compromised by this breach. The steps for deleting your account can be found here:

https://support.500px.com/hc/en-us/articles/360009701153-How-do-I-delete-my-account-

As per our privacy policy, we may preserve your data if necessary to comply with specific legal obligations.

How can I get a copy of all my data from 500px?

500px can send you an archive of your data via email. Please send a request to help@500px.com and we can fulfill the data request within 72 hours of our team confirming receipt of the email.

I didn’t get the password reset email.

If we invalidated your password, you will be prompted to reset your password the next time you try to log in to 500px with a password. We are contacting affected users as soon as possible over the next few days.

The link in the email doesn’t work.

If we invalidated your password, you will be prompted to reset your password the next time you try to log in to 500px with a password. We recommend doing so at your earliest convenience.

Why do I have to reset my password/why can’t I log in?

While we have password security measures in place, we are taking additional steps to protect your personal data. As a precaution, we are requiring all users to reset their 500px account passwords.

Why do I have multiple emails and links?

You may have received multiple messages or password reset prompts from 500px. This is because we are taking every precaution to ensure we have made all of our users aware of this incident.

Have more questions? Ask us!