Freepik Company, the organization behind the Freepik and Flaticon websites, has disclosed a data breach that impacted approximately 8.3 million of the
Freepik Company, the organization behind the Freepik and Flaticon websites, has disclosed a data breach that impacted approximately 8.3 million of their users.
Freepik is a search engine that provides users with access to high-quality graphics resources, including images, vectors, illustrations, and the like. On Flaticon, users can find over 3 million vector icons in various file formats.
The attackers, Freepik Company explains, exploited an SQL injection vulnerability in Flaticon, which allowed them to access user information.
“[I]n our forensic analysis, we determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users. To clarify, the hash of the password is not the password, and cannot be used to log into your account,” the company announced.
The company reveals that for 4.5 million of the affected users no hashed password was leaked, because federated logins (with Google, Facebook and/or Twitter) were used, exclusively. For these users, only the email address was leaked.
For 3.77 million users, both the email address and a hash of the password were leaked. 3.55 million of these passwords were hashed using bcrypt, while for the remaining 229,000 salted MD5 was used.
Freepik says that it has since updated the hash for all user passwords to bcrypt, and that those who had a password hashed with salted MD5 have been prompted to reset it.
“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them,” the company announced.
Freepik also added that it is regularly scanning the passwords and emails that have been leaked on the Internet to identify those that match credentials of Freepik and Flaticon users, and that it disables any passwords found to have been leaked, while also notifying the affected users.
“Due to this incident, we have greatly extended our engagement with external security consultants and did a full review with a first-class agency of our external and internal security measures. We took some important short term measures to increase our security and have planned medium and long term extra security measures,” the company revealed.