What happened
According to public breach records, the piZap data breach on December 7, 2017 is reported to have exposed the personal information of 41,817,893 accounts.
In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019. A total of 42 million unique email addresses were included in the breach alongside names, genders and links to Facebook profiles when the social media platform was used to authenticate to piZap. When accounts were created directly on piZap without using Facebook for authentication, passwords stored as SHA-1 hashes were also exposed.
Passwords in this breach were reportedly stored as SHA-1 hashes.
In approximately December 2017, the online photo-editing service piZap suffered a data breach affecting 41.8 million unique email addresses, which surfaced publicly when the dataset was offered for sale on a dark web marketplace in February 2019 bundled with several other breached databases. The exposed records included email addresses, names, genders, geographic locations, usernames, website activity, and—for users who authenticated via Facebook—links to their social media profiles. For accounts created directly on piZap rather than through Facebook login, passwords were also exposed, stored as SHA-1 hashes (a now-outdated algorithm).
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Genders
- Geographic locations
- Names
- Passwords
- Social media profiles
- Usernames
- Website activity
Breach details
| Detail | Value |
|---|---|
| Breach name | piZap |
| Date | December 7, 2017 |
| Accounts affected | 41,817,893 |
| Domain | pizap.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by piZap; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your piZap password immediately, and change it anywhere else you reused the same password — the leaked passwords were stored as SHA-1 hashes, which are weak and feasible to crack.
- Enable two-factor authentication on your email account and any service where you reused the piZap password, so a cracked credential alone can't grant access.
- Be alert for targeted phishing and spam: your email address, name, and geographic location were exposed and can be combined to make scam messages look convincing — never click links or enter credentials from unsolicited messages.
- If you used Facebook to sign in to piZap, review your Facebook connected-apps and login activity, and revoke piZap's access if you no longer use it.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →