Flickr
Analysis of the Flickr data exposure via third-party breach including user IP addresses and locations.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Flickr
Online photo management and sharing platform, owned by SmugMug, serving photographers and creative communities worldwide.
Sector
Technology / Social Media
Region
Global
Date of Incident
Prior to February 2026 (exact date not disclosed)
Date Disclosed
February 2026
Estimated Impact
Unknown
Data Types Exposed
Names, usernames, email addresses, IP addresses, location data
Attack Type
Third-party Exposure
Attack Vector
Data exposure through a third-party service (specific vector not disclosed)
Current Status
Under investigation. Flickr has acknowledged the incident.
Severity Assessment
Moderate. The inclusion of IP addresses and location data adds physical privacy risk beyond typical contact information exposure.
What Happened
In February 2026, Flickr user data was exposed through a third-party incident. The compromised data includes names, usernames, emails, IP addresses, and locations.
IP addresses and location data add to identity profiling risk and can be combined with other breach data for comprehensive user profiling.
Timeline
February 2026
Flickr user data exposed through third-party incident
Impact and Risk Assessment
For Affected Individuals
Users had their contact information, IP addresses, and location data exposed. IP addresses can reveal approximate physical location and internet service provider.
The combination of usernames, email addresses, and location data enables cross-platform identity correlation.
For Organisations
Flickr and its parent company SmugMug face reputational impact from a third-party exposure they may not have directly controlled.
Regulatory Context
GDPR may apply for EU users, particularly given the exposure of location data which is considered personal data under the regulation.
What Should You Do?
If You Are a Potentially Affected Individual
Review your Flickr account privacy settings. Consider whether your location data should be shared with the platform.
Be aware that your IP address and location data from Flickr may be combined with data from other breaches for comprehensive profiling.
If You Are a Security or Risk Professional
Assess the security of every third-party service that processes your users' data. Third-party exposure incidents highlight supply chain risk beyond your direct control.
Learnings and Recommendations
Third-party exposure incidents highlight the importance of assessing not just your own security but the security of every service and partner that processes your users' data.
IP addresses and location data can reveal physical movements and routines, making this data more sensitive than basic contact information alone.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.