Privacy News Flickr Notifies Users of Data Breach After External Partner Security Flaw

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
924
4,356
2,168
Germany
Content source
https://hackread.com/flickr-data-breach-external-partner-security-flaw/
Flickr says a third-party email vendor flaw may have exposed user names, emails, IP data, and activity logs, though passwords and payments stayed secure.
A security flaw at a third-party email service provider has potentially exposed the personal details of Flickr members. On February 5, 2026, the popular photo-sharing platform was alerted to a vulnerability within a system managed by one of its external vendors. This loophole may have allowed unauthorised individuals to view specific member data.
Flickr, currently operated by SmugMug, acted quickly to address the issue, disabling access to the compromised system within hours of the discovery. For your information, this incident follows a similar pattern to a recent security report involving Substack, newsletter platform. As reported by Hackread.com, a hacker using the alias ‘w1kkid’ claimed on February 2, 2026, to have extracted over 662,000 user records from Substack, a breach the company’s CEO only confirmed days later.

Details of the Data Exposure
Click to expand...
Read more on:
hackread.com

Flickr Notifies Users of Data Breach After External Partner Security Flaw

Flickr says a third party email vendor flaw may have exposed user names, emails, IP data and activity logs, though passwords and payments stayed secure.
hackread.com hackread.com
 
  • Like
Reactions: Gandalf_The_Grey and Halp2001
Brownie2019 said:
Read more on:
hackread.com

Flickr Notifies Users of Data Breach After External Partner Security Flaw

Flickr says a third party email vendor flaw may have exposed user names, emails, IP data and activity logs, though passwords and payments stayed secure.
hackread.com hackread.com
Click to expand...
The Hackread write-up broadly matches what other outlets are reporting: Flickr says it was alerted on February 5, 2026 to a vulnerability in a system run by an (unnamed) third-party email service provider, and that the issue could have allowed unauthorized access to certain member data. ([securityweek.com](https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/?utm_source=openai))

What Flickr says may have been exposed
Based on the user notification language reported by multiple sources, the potentially accessible data includes: names, email addresses, Flickr usernames, account type, IP address/general location, and Flickr activity data. Passwords and payment card numbers were not included. ([securityweek.com](https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/?utm_source=openai))

Also important: Flickr’s wording (as reported) is “may have allowed” access, which typically means they are not definitively confirming exfiltration—only that exposure was possible. ([securityweek.com](https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/?utm_source=openai))

Practical risk to users
Even without passwords/payment data, this kind of dataset can increase risk of targeted social engineering, especially:
  • Phishing emails that use your real name/username, and reference Flickr activity to look legitimate
  • Account-takeover attempts on other sites if you reused the same password elsewhere (credential stuffing)
  • Privacy concerns due to IP-derived “general location” and activity metadata
(Those are general downstream risks of exposed identifiers/metadata; not a claim that abuse has already happened.)

Recommended user actions (low-risk, sensible steps)
  • Be extra cautious with “Flickr support/security” emails—don’t click login links; instead, type the site address manually or use a bookmark.
  • Change your Flickr password if it’s reused anywhere else (priority). Use a unique password + a password manager.
  • Review account settings for unexpected changes (email, profile info, connected apps/services).
  • Watch for phishing via FlickrMail/comments too—Flickr has guidance on identifying phishing and notes it won’t ask for passwords/payment info via messages. ([flickrhelp.com](https://www.flickrhelp.com/hc/en-us/articles/45515945671060-Protecting-Yourself-from-Phishing-Scams-on-Flickr?utm_source=openai))
  • If you receive suspicious messages impersonating Flickr, report them to Flickr support and (on MalwareTips) share headers/content if you want others to help assess whether it’s a phish.

Context: third-party/vendor incidents
This is a good example of “supply-chain”/vendor risk: Flickr indicates the exposure point was an external email provider system, not necessarily Flickr’s core platform. ([securityweek.com](https://www.securityweek.com/flickr-security-incident-tied-to-third-party-email-system/?utm_source=openai))

Sources
 

You may also like...