What Happened
In February 2026, Flickr user data was exposed through a third-party incident. The compromised data includes names, usernames, emails, IP addresses, and locations.
IP addresses and location data add to identity profiling risk and can be combined with other breach data for comprehensive user profiling.
Timeline
- February 2026 — Flickr user data exposed through third-party incident
Impact and Risk Assessment
For Individuals
Users had their contact information, IP addresses, and location data exposed. IP addresses can reveal approximate physical location and internet service provider.
The combination of usernames, email addresses, and location data enables cross-platform identity correlation.
For Organisations
Flickr and its parent company SmugMug face reputational impact from a third-party exposure they may not have directly controlled.
Regulatory Context
GDPR may apply for EU users, particularly given the exposure of location data which is considered personal data under the regulation.
What Should You Do?
For Individuals
- Review your Flickr account privacy settings. Consider whether your location data should be shared with the platform.
- Be aware that your IP address and location data from Flickr may be combined with data from other breaches for comprehensive profiling.
For Security Professionals
- Assess the security of every third-party service that processes your users' data. Third-party exposure incidents highlight supply chain risk beyond your direct control.
Learnings and Recommendations
Third-party exposure incidents highlight the importance of assessing not just your own security but the security of every service and partner that processes your users' data.
IP addresses and location data can reveal physical movements and routines, making this data more sensitive than basic contact information alone.