FAQ: Client Gallery Password Security Incident - April 26th, 2021

  • Updated

Our security team recently identified some suspicious activity in client galleries that may affect certain customers. We resolved the technical issue that allowed this activity to occur and have launched an investigation which remains ongoing.

Security and privacy are a top priority, and we remain committed to ensuring that your content is protected. We have prepared these FAQs to help bring clarity.


Q:  What happened?

A:  On April 21, 2021, our security team identified suspicious activity in some ShootProof client Galleries. We worked quickly to resolve the issue that day, and continue to investigate further to confirm its potential impact as soon as possible.  


Q. What do you know so far? 

A: A thorough forensic investigation is underway, and as a result of this investigation, we have evidence that an unauthorized individual obtained passwords to certain galleries. 


Q. How can I know if galleries in my own account were accessed without permission?

A: An investigation is underway. While we've reached out to impacted studios directly, out of an abundance of caution, it's important that every gallery password be updated immediately to ensure the privacy of your galleries. 

We encourage you to check your Gallery Visitor Report (Reports > Gallery Visitors) to make sure you recognize email addresses that have accessed your Galleries. If you see suspicious email entries on your Gallery Visitor Report, we urge you to email that information to dataprotection@shootproof.com.


Q. Was my, or my clients' credit card information compromised?

A: No. There was no risk of exposure to credit card information as a result of this security vulnerability.


Q. Am I at risk for identity theft?

A: This incident did not affect any Social Security numbers, financial account information, or personal address information.


Q. What information was compromised, and how might it potentially be used?

A: The following Gallery information may have been accessed without consent:

  • Client Gallery Expiration Date
  • Client Gallery Name
  • Client Gallery Password
  • Client Gallery URL

With this information, Active Public and Private galleries may be accessed by an unauthorized individual.

Inactive, Archived, and Pre-Release galleries are not affected, and Album-level passwords were not compromised.


Q. What has ShootProof done to ensure the safety of my Galleries?

A: On the day our team discovered this security vulnerability, we released a software update to resolve it.

We’ve also created a tool to help you update gallery passwords in bulk. The Gallery Password Update Tool changes the password on all Galleries that are currently password-protected, including Active, Inactive, Pre-Release, and Archived Galleries, with and without a Linked Contact. The new passwords will be random, 12-character, alphanumeric passwords.

Once you update the passwords, you’ll receive a CSV of all-new Gallery passwords to reference when communicating with clients about the password change, and can optionally email Linked Contacts for all Active Galleries affected. 


Q. Can you say with confidence that my galleries are now safe?

A: We can say with confidence that the software vulnerability that enabled the unauthorized individual to access gallery passwords has been resolved. However, to ensure your galleries are safe, we strongly recommend you immediately change passwords on all Active Galleries.


Q. What immediate steps do I need to take? 

A: To ensure the security of your client Galleries, we recommend changing passwords on all Active Galleries. You can update passwords manually, or use our Gallery Password Reset Tool to automatically update all Gallery passwords and obtain a CSV of the updated passwords.

There is no need to update Album-level passwords, as they were not compromised.

Depending on whether your Galleries currently have Linked Contacts, or whether you prefer to contact your clients directly or via the automated email we've provided within the Gallery Password Reset Tool, you have several options:

  1. Use the Active Gallery Password Reset Tool to automatically reset passwords on all Active Galleries and optionally email Linked Contacts for those Galleries.
  2. If your Galleries don't have Linked Contacts but you'd like to use the Gallery reset tool to automatically notify clients, use Bulk Actions to temporarily make Galleries Inactive. Add Linked Contacts, then reactivate Galleries and use the password reset tool to update passwords and email the new Linked Contacts from within ShootProof.
  3. If you prefer to manually update Gallery passwords, use Bulk Actions to temporarily make Galleries Inactive, allowing you time to make the password updates. Reactivate Galleries once passwords are reset, then notify clients directly.


 Q: Can you tell me which of my Galleries had their passwords compromised?

A: We are not able to tell which Client Gallery passwords were compromised, so we strongly recommend that you update all Client Gallery passwords immediately. Our investigation into this event is ongoing, and we will provide additional information as more is learned.


Q. What should I tell my clients?

A: How you choose to communicate with your clients is up to you. If you would like assistance communicating this information to your customers, please contact us at dataprotection@shootproof.com and we can help with messaging.

If you do not see any suspicious gallery visitor activity, there is no need at this time to communicate further details about this event with your clients, aside from the password reset.


Q. What is ShootProof doing to prevent this from happening again in the future?

A: We know that the security of your images is paramount to the success of your business and we are in the process of thoroughly reviewing our security features, policies, and internal processes. Based on these findings, we will implement additional security measures to further reduce the risk of future incidents.

Was this article helpful?

66 out of 72 found this helpful

Have more questions? Submit a request