We found that there had been some unauthorized logins by third party users on a few accounts on PIXTA the other day.
Through our own investigation, it’s been found that the cause was a “list type account hacking (list type attack)”.
We would like to report the matters we have confirmed regarding this issue and our counter-measures, though the concrete numbers or the situation may change in a short term, since those attacks have been still taking place intermittently.
[Overview of the unauthorized logins]
From Monday 18, September, 2017, 8:25 p.m JST to Wednesday 20, September, 2017, 6:20 p.m JST
<Numbers of the accounts logged in by the unauthorized users>
<Information that could have been viewed>
Registered information which can be seen on “your account page“ on PIXTA, our web service.
e.g) email address, user name, date of birth, gender, country of residence, history of earned credits, transfer account information of the earned credits, and so on.
Until now, it’s been ascertained that regarding the “earned credits“, which is the form of reward for selling works on PIXTA, there were 7 accounts of contributors which conducted the cashing applications in the period, and that all of those applications were unauthorized (Not by the real users). We have already got a handle on the 7 case above, and did not transfer to the applications.
Besides, it’s been found that regarding 20 of the 252 accounts the 6 upper and the lower 2 digits, the account holder name, and expiry date of the credit cards could have been viewed in the unauthorized assesses. However, any information regarding the number or security code of the credit cards can not be leaked by the unauthorized logins, because we do not hold or register them in PIXTA.
<Kind of the unauthorized logins>
List type account hacking (list type attack)：cyberattacks by third party users who obtained IDs and passwords of other users in some ways for viewing personal information or other purposes trying to login on various websites with the stolen IDs and passwords.
[Counter-measures by PIXTA]
As a means of counter-measures against the attacks, in order to prevent further damage, we reset the passwords of the 252 accounts which suffered the unauthorized logins at September 22, 2017. based on our own decision, and informed those users of the details of the incident, how to change their passwords, how to contact us in the case that other troubles take place, and so forth by email.
Furthermore, we have been requesting our users to change their passwords on the website, PIXTA, to prevent further unauthorized logins.
In addition to this, we have already reported about this case to the Personal Information Protection Commission, and consulted with the community safety division of the Shibuya Police Station.
[Request to change Password]
As the ones taking places in other services lately, there is a high possibility that these attacks were conducted with the “list type account hacking (list type attack)” which utilize IDs and passwords that could have been leaked through other services. Therefore, your account can be a target of this kind of cyberattack if you use the same password for other services. One of the best ways to prevent it is Not to use the same passwords anywhere else. Regardless of whether you received our email about this case individually or not, please make sure to change your password in the case that you use the same ID and password for other services.
Additionally, if you set your password like the ones below, it would be very easy for third party users to crack and makes it easier for them to login your account, so we highly recommend you change it to another one which is a lot harder to guess.
・The same ID・password for others services
・Password that includes a part of your login ID
・Password composed of simple consecutive numbers
・Password composed of your date of birth or phone number
・Password composed only of simple numbers
・Password composed only of simple words such as “password”
＜How to change your password＞
Please enter email address you registered from the following URL and click the “Send” button.
Then, we will send a message to reset your password to the email account.
You can visit the page to reset your password via the URL on the email, and click the “Change” button after setting the new one.
The procedure will be complete here.
You will be able to login with your email address and the new password after the change.
＜For those who forgot password＞
We sincerely apologize to all the customers who use PIXTA for any concern and inconvenience.
We will take all the necessary measures to prevent the same case from occurring again and for the further reinforce of our security system.
<Contact form regarding this incident>