Free photos, graphics site Freepik discloses data breach impacting 8.3m users

Freepik
Image: Freepik Company

Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed today a major security breach.

The company made it official after users started grumbling on social media this week about receiving shady-looking breach notification emails in their inboxes.

ZDNet reached out to the Freepik Company on Thursday, and while we have not heard back before this article’s publication, the company formally disclosed a security breach today, confirming the authenticity of the emails it’s been sending to registered users for the past few days.

Hacker used an SQL injection to get in

According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.

Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.

Freepik didn’t say when the breach took place, or when it found out about it. However, the company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.

Millions of password hashes were pilfered

As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.

The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.

“For the remaining 3.77M users the attacker got their email address and a hash of their password,” the company added. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”

In the process of notifying users

The company said it’s now in the process of notifying all impacted users with customized emails, depending on what was taken. These emails are going out to Freepik and Flaticon users, depending on what service users had registered on. Below are some of these messages, as we received from our readers.

freepik-notifications.png

freepik-notifications.png

“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik said. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”

Freepik is one of today’s most popular sites on the internet, currently ranked #97 on the Alexa Top 100 sites list. Flaticon is not far behind, ranked #668.

When EQT acquired the Freepik Company at the end of May this year, the company claimed the Freepik service has a community of more than 20 million registered users.

Users registered on Slidesgo, another of the Freepik Company’s websites, don’t appear to have been impacted.

Subscribe to the E-Crypto Newsletter

Sign up to the best of Crypto, Blockchain and Future Trends news.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
bitcoin
Bitcoin (BTC) $ 16,702.42
ethereum
Ethereum (ETH) $ 503.23
ripple
XRP (XRP) $ 0.528355
tether
Tether (USDT) $ 1.00
bitcoin-cash
Bitcoin Cash (BCH) $ 260.30
chainlink
Chainlink (LINK) $ 12.15
litecoin
Litecoin (LTC) $ 66.92
polkadot
Polkadot (DOT) $ 4.62
cardano
Cardano (ADA) $ 0.134247
binancecoin
Binance Coin (BNB) $ 27.65