Flickr supports failure data leak in external mail provider and exposes information from millions of users

Flickr has informed its users of a possible security incident that affected personal information because of a vulnerability in an external email service provider. The social photographic network, active since 2004 and with billions of images hosted, has confirmed that it closed access to the affected system a few hours after it has been notified of the problem, but recognizes that some data from its members may have been exposed.

According to the communication sent to those affected, the leak could include real names, e-mail addresses, user names on the platform, account type, IP addresses, approximate location data and activity records within Flickr. In parallel, the company has stated that there is no evidence that the passwords and payment card numbers were compromised in this incident. You can see the statement publicly shared by the company in its message on X (before Twitter) Here..

The news has been collected by media specialized in cybersecurity, which details that Flickr did not want to disclose the name of the mail provider involved or the exact number of accounts affected. This hermetism over third parties is common in the first releases, but it is also one of the most problematic parts of these incidents: when a platform delegates critical functions to external suppliers, it loses some of the direct control over security and information flow.

It is important to place this case in context: Flickr is a historic community of online photography with billions of files and a significant user base. The dependence on third-party services for tasks such as sending transactional emails or notifications is a widespread practice in industry, but it also multiplies the attack surface if these suppliers present vulnerabilities. European bodies and cyber security experts have been warning the risks of the digital supply chain for years; in Europe you can consult analysis and guides on the European Union's Cybersecurity Agency ( ENISA).

Flickr has urged affected users to review the configuration of their accounts for unauthorized changes and to maintain a vigilant attitude to phishing attempts that use information extracted from the service. The company reiterated that it will never request passwords by mail and announced that it is fully investigating the incident, reviewing its architecture and strengthening oversight over external suppliers.

If you are a Flickr user, there are concrete and practical measures that should be taken right now. The first thing is to inspect your own in case there are deleted content, modified albums, changes in settings or session openings from unknown locations. If you repeat the same password in other services, change it without waiting; the most real risk after a leak of emails and names is that attackers try to take advantage of the same credentials on other platforms.

It is also recommended to activate the authentication of two factors (2FA) when the service offers it, and use a password manager to generate and store unique and strong keys for each account. These practices significantly reduce the likelihood that unauthorized access will result in an account kidnapping or identity theft. For practical guidance on how to recognize phishing e-mails and protect you, reliable sources such as the United States Federal Trade Commission explain steps to be taken in your e-mail scams guide ( FTC: How to recognize and avoid phishing), and in Spain the National Institute of Cybersecurity (INCIBE) offers resources in Spanish for users affected by online fraud ( INCIBE).

Beyond individual recommendations, this incident reminds companies and product managers that data security does not end in their own infrastructure: the choice, audit and continuous supervision of external suppliers is crucial. Organizations should require contracts that include security clauses, conduct regular risk assessments and maintain incident response plans that provide for the identification and containment of third-party failures.

From a policy point of view, leaks involving personal data can activate reporting obligations to data protection authorities and, in some cases, the right of users to receive detailed information on the extent of the incident. If you live in the European Union and believe that your personal data has been compromised, see the information and resources of the European Data Protection Council or the control authority of your country to know the steps to be taken.

Finally, it is appropriate to remain calm but not to lower your guard. Many such incidents result in social engineering attempts targeting exposed users. If you receive an unexpected email by claiming information, offering refunds or asking you to confirm data, avoid clicking on links and always check the address of the sender. In doubt, contact the official service support from your web (not from links received by email) and change the credentials in the services where you repeat passwords.

Flickr has pointed out that he offers apologies for what happened and that he is taking steps to prevent something similar from happening again. As investigations continue, the best defense remains the combination of good personal practices - unique passwords and 2FA - and constant pressure on platforms to strengthen the supervision of their suppliers. The full details of the incident and media coverage are available in specialized media, for example in BleepingComputer ( article on Flickr notification), where public statements and initial follow-up have been collected.