Freepik disclosed a security breach that impacted over 8.3 million users in an SQL injection attack against the company’s Flaticon website.
Freepik disclosed a security breach that impacted over 8.3 million users in an SQL injection attack against the company’s Flaticon website.
The company explains that hackers were to steal emails and password hashes for 8.3M Freepik and Flaticon users.
Freepik
Freepik is an online platform that claims to have over 5 million graphic resources and more than 100 million downloads per month. It provides high-quality free photos and design graphics.
The company notified all the affected users of the security breach affecting Freepik and Flaticon. The threat actors extracted the email and, when available, the hash of the password of the oldest 8.3M users.
The security breach occurred due to a SQL injection in Faticon that allowed an attacker to get some information from the database.
Out of the 8.3M users, 4.5M had no hashed password as they used exclusively federated logins (with Google, Facebook and Twitter) and the only data attacker obtained from these users was their email address.
“For the remaining 3.77M users, the attacker got their email address and a hash of their password. For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users, the method was salted MD5. Since then, we have updated the hash of all users to bcrypt,” stated Freepik.
The company cancelled the password hashed with salted MD5 and sent an email stating to choose a new password immediately if it was shared with any other site.
Users who had their password hashed with bcrypt received an email suggesting to change their password if it was an easy to guess password.
The company did not disclose the technical details of the incident.
The company took some short term measures to increase the security and further planned medium and long-term extra measures.
“Due to this incident, we have greatly extended our engagement with external security consultants and did a full review with the first-class agency of our external and internal security measures,” reported the company.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?