[BreachExchange] Free photos, graphics site Freepik discloses data breach impacting 8.3M users

Tue Aug 25 10:07:00 EDT 2020

https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/

Freepik, a website dedicated to providing access to high-quality free
photos and design graphics, has disclosed a major security breach.

The company made it official after users started grumbling on social
media this week about receiving shady-looking breach notification
emails in their inboxes.

ZDNet reached out to the Freepik Company on Aug. 20, and while we have
not heard back before this article's publication, the company formally
disclosed a security breach Friday, confirming the authenticity of the
emails it's been sending to registered users for the past few days.

HACKER USED AN SQL INJECTION TO GET IN

According to the company's official statement, the security breach
occurred after a hacker (or hackers) used an SQL injection
vulnerability to gain access to one of its databases storing user
data.

Freepik said the hacker obtained usernames and passwords for the
oldest 8.3 million users registered on its Freepik and Flaticon
websites.

Freepik didn't say when the breach took place, or when it found out
about it. However, the company says it notified authorities as soon as
it learned of the incident, and began investigating the breach, and
what the hacker had accessed.

MILLIONS OF PASSWORD HASHES WERE PILFERED

As for what was taken, Freepik said that not all users had passwords
associated with their accounts, and the hacker only took user emails
for some.

The company puts this number at 4.5 million, representing users who
used federated logins (Google, Facebook, or Twitter) to log into their
accounts.

"For the remaining 3.77M users the attacker got their email address
and a hash of their password," the company added. "For 3.55M of these
users, the method to hash the password is bcrypt, and for the
remaining 229K users the method was salted MD5. Since then we have
updated the hash of all users to bcrypt."

IN THE PROCESS OF NOTIFYING USERS

The company said it's now in the process of notifying all impacted
users with customized emails, depending on what was taken. These
emails are going out to Freepik and Flaticon users, depending on what
service users had registered on. Below are some of these messages, as
we received from our readers.

"Those who had a password hashed with salted MD5 got their password
canceled and have received an email to urge them to choose a new
password and to change their password if it was shared with any other
site (a practice that is strongly discouraged)," Freepik said. "Users
who got their password hashed with bcrypt received an email suggesting
them to change their password, especially if it was an easy to guess
password. Users who only had their email leaked were notified, but no
special action is required from them."

Freepik is one of the most popular sites on the internet, currently
ranked No. 97 on the Alexa Top 100 sites list. Flaticon is not far
behind, ranked No. 668.

When EQT acquired the Freepik Company at the end of May this year, the
company claimed the Freepik service has a community of more than 20
million registered users.

Users registered on Slidesgo, another of the Freepik Company's
websites, don't appear to have been impacted.