Freepik Company, the company behind popular online brands Freepik and Flaticon, recently announced a data breach that involved hackers gaining access to the email addresses and hashed passwords of up to 8.3 million users.
The hackers, who are yet to be identified, exploited an SQL injection vulnerability in Flaticpon to gain access to the email addresses and hashed passwords of millions of Freepik users, the company said. Many users who used their Google, Facebook, or Twitter accounts to log in to Freepik or Flaticon only saw their email addresses accessed by hackers.
While Flaticon is one of the world’s largest resources of free vector icons in SVG, PSD, PNG, EPS format, Freepik is also among the most popular repositories of free graphic resources, stock photos, vectors, and icons.
In a press release published on Friday, Freepik Company said it recently notified as many as 8.3 million of its oldest users that their email address and/ or hashed passwords were accessed by an attacker due to a SQL injection in Flaticon.
While the email addresses of 8.3 million users were accessed by the attacker, hashed passwords of only 3.77 million were accessed as the remaining 4.5 million used exclusively federated logins such as Google, Facebook or Twitter to login to Flaticon.
Out of 3.77 million users whose hashed passwords were accessed, passwords of 3.55 million users were hashed using bcrypt and passwords of the remaining 229,000 users were hacked using salted MD5 algorithm. Freepik said users whose passwords were hashed using MD5 were asked to urgently change their account passwords.
“Due to this incident, we have greatly extended our engagement with external security consultants and did a full review with a first-class agency of our external and internal security measures. We took some important short term measures to increase our security and have planned medium and long term extra security measures. While no system is 100% secure, this should not have happened and we apologize for this leak,”
Commenting on the breach suffered by Freepik, Ilia Kolochenko, Founder & CEO of ImmuniWeb, told TEISS that the reportedly hacked resource is used by a huge numbers of webmasters and programmers, many of whom have privileged, or even unlimited, access to the web applications and databases of their customers. Thus, cybercriminals will likely initiate large-scale password reuse attacks and phishing campaigns targeting careless and inattentive software developers.
“Given how many small law firms, financial and tax advisors entrust their data to these future-victims, we may a expect a spike in sophisticated, chained intrusions into large companies via their trusted third parties such as law firms and external advisors,” he added.
Image Source: Freepik