Flickr says a flaw at a third-party email provider may have exposed users’ names, email addresses, IPs, and account activity.
Flickr is a photo-sharing platform owned by SmugMug. It has over 100 million registered users and millions of active photographers.
Flickr warned users about a possible data breach caused by a flaw in a third-party email service. The issue may have exposed names, email addresses, IPs, and account activity. The company pointed out that the security breach did not expose passwords or payment data. Flickr shut down the affected system within hours.
“We want to inform you about a security issue involving one of our third-party service providers that may have affected some of your personal information. Here’s what you need to know.” reads a data breach notification sent to the impacted users. “On February 5, 2026, we were alerted to a vulnerability in a system operated by one of our email service providers. This flaw may have allowed unauthorized access to some Flickr member information. We shut down access to the affected system within hours of learning about it.”
The company did not say which provider was involved or how many users were impacted.
The company says it reacted quickly after discovering the issue. They immediately cut off access to the affected system, removed links to the vulnerable endpoint, and alerted the third-party provider, requesting a full investigation. At the same time, the company began a broader security review and started strengthening controls around third-party services. The company also notified the relevant data protection authorities.
The company recommends users to stay alert for phishing emails pretending to be related to their account, check account settings for unusual activity, and update passwords on other services if the same password was reused.
“We sincerely apologize for this incident and for the concern it may cause. We take the privacy and security of your data extremely seriously, and we are taking immediate action to prevent any similar issues by conducting a thorough investigation, strengthening our system architecture, & further enhancing our monitoring of third-party service providers.” concludes the notification.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – malware, Flickr)
