The Freepik Company has disclosed a data breach impacting the login information of more than 8 million Freepik and Flaticon users.
According to a press release, the security incident was the result of a SQL injection in Flaticon, one of the world’s largest databases of free customizable icons, that allowed attackers to exfiltrate user information.
“We immediately notified the competent authorities of the breach, and in our forensic analysis, we determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users,” the company said.
More precisely, the attackers were able to steal 4.5 million email addresses and 3.77 million combinations of email addresses and hashed passwords.
“Out of these 8.3M users, 4.5M had no hashed password because they used exclusively federated logins (with Google, Facebook and/or Twitter), and the only data the attacker obtained from these users was their email address,” Freepik added. “For the remaining 3.77M users the attacker got their email address and a hash of their password. For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5.”
Freepik cancelled all MD5 hashed passwords, and users were prompted to select a new password to log in to their accounts. More than 3 million users who presented a bcrypt hashed password received an email suggesting they reset their passwords, and all Flaticon and Freepik users were advised to change passwords for all online accounts that shared the same login credentials.
The platform developers have also revelead that they regularly check for leaked emails and passwords online. If the information found matches among Freepik or Flaticon users, the passwords are disabled, and users are required to update their login credentials.
Freepik apologized for the leak and assured users that it plans to strengthen internal and external security measures to avoid any future incidents.
“Due to this incident, we have greatly extended our engagement with external security consultants and did a full review with a first-class agency of our external and internal security measures,” Freepik concluded. “We took some important short term measures to increase our security and have planned medium and long term extra security measures.”