Freepik says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.
Freepik is the company behind Freepik (one of the largest online graphic resources sites in the world) and Flaticon (an icon database platform) totaling 18 million monthly unique users, 50 million monthly views, and 100 million monthly downloads
The threat actors behind the Freepik security breach were able to steal the oldest 8.3M users’ emails and password hashes, where available.
“To clarify, the hash of the password is not the password, and can not be used to log into your account,” Freepik added.
229K MD5 salted passwords reset after breach
“Out of these 8.3M users, 4.5M had no hashed password because they used exclusively federated logins (with Google, Facebook and/or Twitter), and the only data the attacker obtained from these users was their email address,” the company added.
3.55 million users had their email addresses and passwords’ bcrypt hashes harvested and exfiltrated by the attackers, while for roughly 229,000 users the attackers got MD5 salted passwords hashes.
Because passwords hashed using salted MD5 are easy to crack, Freepik reset the accounts for all the 229,000 users and emailed them to change their passwords as soon as possible.
For the 3.55 million users with passwords hashed using bcrypt Freepik took no other measures besides notifying them via email to update their credentials.
https://csirt.cy/wp-content/uploads/2020/08/Freepik-data-breach-email-notification-300x186.jpg 300w, https://csirt.cy/wp-content/uploads/2020/08/Freepik-data-breach-email-notification-768x475.jpg 768w" alt="" width="749" height="463" class="wp-image-6849 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
Data breach notification letter
Freepik now uses bcrypt to hash all user passwords
“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik explained.
“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”
Freepik says that since the data breach is using bcrypt to hash all user passwords and hired external security experts to do a full audit of internal and external security measures.
If you want to check if your credentials have been compromised in a data breach you can use Have I Been Pwned, a huge database of accounts leaked after hundreds of site breaches.