The popular stock photo company Freepik has announced that its Freepik and Flaticon websites have fallen victim to a security breach which allowed hackers to obtain millions of user credentials.
The company released an official statement in which it explained that an attacker was able to gain access to one of its databases by leveraging an SQL injection vulnerability.
While Freepik did not disclose when the breach occurred or how it was discovered, the company did say that it has already notified authorities regarding the matter.
Based on its internal forensic analysis, Freepik determined that the attacker was able to extract the email addresses and hashed passwords of its oldest 8.3m users.
Of the 8.3m Freepik and Flaticon users affected by the breach, 4.5m of them had no hashed password because they used federated logins (with Google, Facebook or Twitter) to sign up for the service. Thus the attacker was only able to obtain the email addresses of these users.
The remaining 3.77m users had their email addresses and a hash of their password stolen in the security breach. For 3.55m of these users, bcrypt was used to hash their passwords while the remaining 229k users had their passwords salted with MD5. Freepik has since updated the hashed passwords of all users to bcrypt.
In its official statement, Freepik provided further details on the steps it has taken so far, saying:
“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged). Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”
It is highly recommended that Freepik and Flaticon users update their passwords following the security breach and ensure that they’re not using the same password across multiple sites or services.