As a security precaution, our system checks email and password combinations against a registry of accounts that have previously been compromised. These accounts become compromised when a website or application suffers a data breach.
If our system finds a match, we reset the password for the account and trigger a reset password email. This prevents hackers from using an email and password combination found in a data breach from another service (like LinkedIn, Facebook, etc.) to try to gain access to Unsplash accounts.
If this has happened to you, here is what you should do:
- Send a reset password email by going to https://unsplash.com/users/password/new
- Check your email and follow the link to reset your password
- When setting a new password, use a password that is completely unique to your Unsplash account. Do not reuse a password from another account you use, like Facebook, Twitter, etc. or your account will be insecure.
- Check your email(s) against the HaveIBeenPwned.com project to see what accounts you have on other websites or apps might have been compromised in data breaches.
If you have questions, you can reach us at firstname.lastname@example.org.
Note: Unsplash does not store your password directly and has no knowledge of your other accounts. We store a cryptographic hash of your password which can be used to compare against a known list of compromised email and password combinations. This is the same approach used by other industry standard sites like Github.