Flickr Discloses Potential Data Exposure via Third-Party Email Service Provider
Flickr notified users of a potential data breach after discovering a vulnerability in a third-party email service provider system that may have enabled unauthorized access to some member information. Flickr said it was alerted to the flaw on February 5, 2026 and disabled access to the affected system within hours. The company did not name the provider or disclose how many users were impacted, but stated that exposed data may include real names/usernames, email addresses, account types, IP addresses, general location data, and account activity.
Flickr stated that passwords and payment card data were not compromised, reducing immediate risk of direct account takeover but increasing risk of phishing and targeted social engineering using the exposed profile and activity details. Users were advised to review account settings for unexpected changes and to be cautious of messages referencing their Flickr accounts, with Flickr emphasizing it will not request passwords via email. Separately, Substack reported a different breach involving unauthorized access to limited user data and dark web leak claims; it is not connected to the Flickr incident.
Timeline
Feb 6, 2026
Flickr announces broader third-party security review and user warnings
Following the disclosure, Flickr said it was strengthening architecture, monitoring, and oversight around third-party providers, and warned users to watch for phishing, review account settings, and change reused passwords on other services.
Feb 6, 2026
Flickr notifies users and data protection authorities
Flickr began disclosing the incident to customers and notified relevant data protection authorities, stating that potentially exposed data included names, email addresses, usernames, account types, IP or location-related data, and activity logs, while passwords and payment information were not affected.
Feb 5, 2026
Flickr contains exposure by disabling affected vendor access
Within hours of learning of the issue on 2026-02-05, Flickr shut down access to the affected vendor system, removed links to the vulnerable endpoint, notified the provider, and requested an investigation.
Feb 5, 2026
Flickr alerted to third-party email provider vulnerability
On 2026-02-05, Flickr said it was notified of a security vulnerability in a system operated by an external email service provider that may have enabled unauthorized access to some member data.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
3 more from sources like hackread, cyber security news and bleeping computer
Related Stories
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
1 months ago
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
1 months ago
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
1 months ago