Freepik, the popular website that provides high-quality free photos and design graphics, has disclosed a major security breach that impacted 8.3 Million users.
Freepik says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.
The company is notifying the impacted registered users via email.
“We have recently notified all affected users of a security breach in Freepik Company, affecting Freepik and Flaticon. The security breach was due to a SQL injection in Flaticon that allowed an attacker to get some user’s information from our database.” reads the statement published by Freepik.
“We immediately notified the competent authorities of the breach, and in our forensic analysis, we determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users.”
According to the company, 4.5M out of these 8.3M user records had no hashed password because they used exclusively federated logins, this means that attackers only accessed their email address.
“For the remaining 3.77M users the attacker got their email address and a hash of their password,” continues the statement. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”
The company did not disclose technical details of the incident, such as when the intrusion took place.
The company is currently investigating the incident.
In response to the incident the company canceled passwords for the accounts that had a password hashed with salted MD5 and urge them via email to reset the password.
“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.” reads the statement.
(SecurityAffairs – hacking, data breach)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.