Popular Freepik site discloses data breach impacting 8.3M users

Freepik, one of the most popular online graphic resources sites online has disclosed a security breach that impacted 8.3 Million users.

Freepik, the popular website that provides high-quality free photos and design graphics, has disclosed a major security breach that impacted 8.3 Million users.

Freepik says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.

Freepik is one of today’s most popular sites online, it is currently ranked #97 on the Alexa Top 100 sites list, while Flaticon is ranked #668.

The company is notifying the impacted registered users via email.

“We have recently notified all affected users of a security breach in Freepik Company, affecting Freepik and Flaticon. The security breach was due to a SQL injection in Flaticon that allowed an attacker to get some user’s information from our database.” reads the statement published by Freepik.

“We immediately notified the competent authorities of the breach, and in our forensic analysis, we determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users.”

Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.

According to the company, 4.5M out of these 8.3M user records had no hashed password because they used exclusively federated logins, this means that attackers only accessed their email address.

“For the remaining 3.77M users the attacker got their email address and a hash of their password,” continues the statement. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”

The company did not disclose technical details of the incident, such as when the intrusion took place.

The company is currently investigating the incident.

In response to the incident the company canceled passwords for the accounts that had a password hashed with salted MD5 and urge them via email to reset the password.

“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.” reads the statement.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]