Flickr has reported a security vulnerability related to a third-party email service provider that may have compromised user names, email addresses, IP information, and activity logs. Notably, passwords and financial data remain secure.
The incident, disclosed by the popular photo-sharing platform, occurred on February 5, 2026, when Flickr was made aware of a flaw in the system managed by an external vendor. This vulnerability could potentially have allowed unauthorized parties access to certain personal information associated with Flickr accounts.
Flickr, currently owned by SmugMug, responded promptly, deactivating access to the affected system just hours after the issue was identified. This incident bears similarities to a recent breach affecting Substack, a newsletter platform, where a hacker operating under the alias ‘w1kkid’ claimed to have stolen more than 662,000 user records—a breach that Substack’s CEO only verified days later, as reported by Hackread.com.
Details of the Data Exposure
While any data breach poses risks, Flickr has indicated that user passwords and financial information were not compromised during this incident. The exposed data potentially includes real names, registered email addresses, logs of user activity, IP addresses, general geographic locations, and account types, whether Pro or Free.
Flickr serves a substantial user base, with over 28 billion images amassed for approximately 35 million monthly active users. However, the company has not specified how many accounts were impacted by this recent vendor-related vulnerability.
The Company’s Response
In an official security announcement, Flickr confirmed that it has informed the appropriate data protection authorities regarding the breach. As a proactive measure to mitigate future risks, Flickr is enhancing its system architecture and increasing oversight of its third-party service providers. They expressed regret over the incident, emphasizing their commitment to user privacy and security and underscoring their immediate actions to investigate, strengthen defenses, and monitor external partners more closely.
What Flickr Advises You to Do
In light of this incident, it’s crucial for users to remain vigilant against potential phishing attempts that may arise from the data exposure. Flickr encourages users to be cautious of unsolicited emails regarding their accounts, clearly stating that they “Will never ask for your password via email.” Users sharing passwords across platforms are advised to change them immediately as a precaution. Furthermore, it is prudent for users to log into their accounts and verify their profile settings for any unauthorized modifications.