Flickr Discloses Potential Data Exposure via Third-Party Email Service Provider
Flickr notified users of a potential data breach after discovering a vulnerability in a third-party email service provider system that may have enabled unauthorized access to some member information. Flickr said it was alerted to the flaw on February 5, 2026 and disabled access to the affected system within hours. The company did not name the provider or disclose how many users were impacted, but stated that exposed data may include real names/usernames, email addresses, account types, IP addresses, general location data, and account activity.
Flickr stated that passwords and payment card data were not compromised, reducing immediate risk of direct account takeover but increasing risk of phishing and targeted social engineering using the exposed profile and activity details. Users were advised to review account settings for unexpected changes and to be cautious of messages referencing their Flickr accounts, with Flickr emphasizing it will not request passwords via email. Separately, Substack reported a different breach involving unauthorized access to limited user data and dark web leak claims; it is not connected to the Flickr incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Flickr announces broader third-party security review and user warnings
Following the disclosure, Flickr said it was strengthening architecture, monitoring, and oversight around third-party providers, and warned users to watch for phishing, review account settings, and change reused passwords on other services.
Flickr notifies users and data protection authorities
Flickr began disclosing the incident to customers and notified relevant data protection authorities, stating that potentially exposed data included names, email addresses, usernames, account types, IP or location-related data, and activity logs, while passwords and payment information were not affected.
Flickr contains exposure by disabling affected vendor access
Within hours of learning of the issue on 2026-02-05, Flickr shut down access to the affected vendor system, removed links to the vulnerable endpoint, notified the provider, and requested an investigation.
Flickr alerted to third-party email provider vulnerability
On 2026-02-05, Flickr said it was notified of a security vulnerability in a system operated by an external email service provider that may have enabled unauthorized access to some member data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Flickr data exposure linked to third-party vendor flaw | SC Media
scworld.com
Open sourceFlickr’s 35M Users Affected by Third-Party Data Exposure
techrepublic.com
Open sourceFlickr moves to contain data exposure, warns users of phishing
securityaffairs.com
Open sourceFlickr Data Breach: Third-Party Flaw Exposes Millions of Users - TheCyberThrone
thecyberthrone.in
Open sourceFlickr emails users about data breach, pins it on 3rd party • The Register
go.theregister.com
Open sourceFlickr Notifies Users of Data Breach After External Partner Security Flaw
hackread.com
Open sourceFlickr Data Breach - 35 million users Data at Risk
cybersecuritynews.com
Open sourceFlickr discloses potential data breach exposing users' names, emails
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Mar 21, 2026