Flickr has confirmed a data security incident after detecting a vulnerability in a system operated by one of its third-party email service providers. The company informed users about the issue through an email notification sent on February 5, 2026.
According to Flickr, the issue was caused by a flaw in an external system used to manage email services. This vulnerability may have allowed unauthorized access to certain Flickr member information. The company says it shut down access to the affected system within hours of being alerted.
Flickr has clarified that sensitive data such as passwords and payment card numbers, were not affected. However, depending on the user account, the exposed information may have included names, email addresses, Flickr usernames, account type, IP address, general location, and some activity data on the platform.
The company says it acted quickly after discovering the issue. Flickr disabled access to the vulnerable system, removed all connections to the affected endpoint, and notified the service provider involved. It has also demanded a full investigation from the third party and has started its own internal review.
Flickr stated that it is strengthening its security practices, especially around third-party providers. The company has also informed relevant data protection authorities about the incident, which is a requirement in many regions when user data may be exposed.
For users, Flickr is advising extra caution. The company has warned members to be alert for phishing emails that may reference their Flickr account. Flickr says it will never ask for passwords through email. Users are also encouraged to review their account settings for anything unusual. Those who reuse their Flickr password on other services are advised to change it as a precaution.
Flickr has also shared region-specific guidance. Users in the EEA and the UK can contact their local data protection authorities if they wish to file a complaint. California residents have been advised that they can reach out to the California Attorney General and major credit bureaus for identity protection support, if needed.
Data breaches linked to third-party vendors have become increasingly common. Even when a company’s core systems remain secure, external service providers can still become weak points. This incident highlights the growing risk associated with complex digital supply chains, especially for platforms handling large volumes of user data.
Flickr has apologized for the incident and said it takes user privacy seriously. The company says it is reviewing its system architecture and improving monitoring of third-party services to prevent similar issues in the future.
