Photo-sharing platform Flickr has disclosed a security incident involving unauthorised access to user information through a vulnerability in one of its third-party email service providers.
The company discovered the flaw on February 5, 2026, and shut down access to the affected system within hours. According to Flickr's notification to users, the vulnerability may have allowed unauthorised access to personal information, though the company has not confirmed whether data was actually stolen.
The potentially compromised data includes user names, email addresses, Flickr usernames, account types, IP addresses, general location information, and activity data on the platform. Flickr confirmed that passwords and payment card numbers were not affected by the incident.
The company has not identified the third-party email service provider involved in the breach. Security notifications were sent directly to affected users, with Flickr emphasising the need for caution regarding phishing attempts that may reference the incident.
Third-Party Security Risks
The breach highlights ongoing challenges with supply chain security, where vulnerabilities in third-party service providers can expose customer data even when the primary platform maintains secure infrastructure. Flickr has notified relevant data protection authorities in the European Economic Area, the United Kingdom, and California.
The incident follows a pattern of third-party service provider breaches that have affected multiple platforms in recent months. Security researchers have noted an increasing focus by threat actors on targeting vendors and service providers as an indirect route to accessing user data from multiple organisations.
Flickr has advised users to remain vigilant against phishing emails that reference their Flickr account. The company stated it will never request passwords via email and recommends users review their account settings for any unexpected changes.
Users who have reused their Flickr passwords on other services should consider updating those credentials. While no password data was compromised in this incident, the combination of exposed email addresses, usernames, and activity patterns could enable targeted social engineering attacks.
Flickr stated it is conducting a thorough investigation, strengthening its security practices with third-party providers, and enhancing monitoring of vendor systems to prevent similar incidents.
European Economic Area and UK residents have the right to lodge complaints with their local data protection authorities. California residents may contact the California Attorney General's office and consider placing fraud alerts with credit reporting agencies.