Freepik Says That Hackers Stole Emails And Password Hashes For 8.3 Million Users Via SQL Injection In A Major Data Breach

Today, Freepik, one of the most popular photo and illustration hub in the world, disclosed that attackers stole emails and password hashes for 8.3 million Flaticon and Freepik users in an SQL injection hack. Freepik is the company behind Flaticon which is an icon database platform and the Freepik website which is one of the world’s largest graphic resources websites. Freepik provides PSD files, vector photos, illustrations, and icons. The Freepik website is currently ranked 97 on the Alexa Top 100 websites list while the Flaticon website is ranked 668.

The company informed its users about the security breach via an email. The company said that the data breach was due to an SQL injection in Flaticon that enabled the hacker to get access to some user’s information on the company’s website. In its official statement, Freepik stated that the threat actors were able to steal emails and, when available, password hashes of the oldest 8.3 million users of Flaticon and Freepik sites.

It is important to note that the hash of a password is not the password, and it cannot be used to sign in to your account. The company did not make it clear when the data breach took place or when the company found out about this major security breach. However, Freepik stated in its official statement that the company immediately notified the competent authorities of the breach, and began investigating the incident. According to the company, 4.5 million users out of these 8.3 million users had no hashed password since they used federated logins such as Facebook, Twitter, or Google to sing into their accounts. Hackers only obtained the email addresses of these 4.5 million users.

On the other hand, attackers obtained the email address as well as a hash of their password for the remaining 3.77 million users. The company revealed that for 3.55 million of these users, attackers used the bcrypt method to hash the password. On the other hand, for the remaining 229,000 users, the hackers got MD5 salted password hashes. These 229K users got their password canceled and the company has delivered an email to these users urging them to choose a new password. Furthermore, the company has updated the hash of all of its users to bcrypt.

For those 3.55 million users who got their password hashed with bcrypt, they have received an email recommending them to change their login credentials. Lastly, the company notified those users who had their email addresses leaked, however, no special action is needed from those users.

Read next: Researchers Discovered a New Vulnerability That Could Put Millions of IoT Devices at Risk
Previous Post Next Post