Freepik Group, the company behind the Freepik and Flaticon websites, has disclosed a data breach that affected about 8.3 million of its users.
Freepik is a search engine that provides access to high-quality graphics resources for users, including images, vectors, illustrations and the like. Users can find more than 3 million vector icons in different file formats on Flaticon.
The attackers, explains Freepik Company, exploited a vulnerability in SQL injection in Flaticon which allowed them to access information about users.
“[I]n our forensic study, we found the email was stolen by an attacker and the password hash of the oldest 8.3 M users, if available. To clarify, the password hash isn’t the password, and can’t be used to log in to your account, “the firm said.
The company reports that no hashed password was leaked for 4.5 million of the affected users, as only federated logins (with Google , Facebook and/or Twitter) were used. Just the email address had been leaked for those users.
Both the email address and a password hash were leaked to 3.77 million users. For such passwords, 3.55 million were hashed using bcrypt while the remaining 229,000 salted MD5 were used.
Freepik says it has since updated the hash to bcrypt all user passwords, and those with a password that hashed with salted MD5 were prompted to reset it.
“Users who got their password hashed with bcrypt received an email suggesting that they change their password, particularly if it was an easy password to guess. Users who have had their email leaked have been informed but they do not need any special action, “the company reported.
Freepik also added that it periodically checks passwords and emails that have been leaked on the Web to find those that fit Freepik and Flaticon users’ credentials, and disables any passwords found to have been leaked, while at the same time notifying the users concerned.
“Because of this incident, we have extended our engagement with external security consultants considerably and undertaken a full review of our external and internal security measures with a first-class agency. We have taken some important short-term measures to increase our safety and planned additional security measures in the medium and long term, “the company revealed.