Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed today a major security breach.
The company made it official after users started grumbling on social media this week about receiving shady-looking breach notification emails in their inboxes.
ZDNet reached out to the Freepik Company on Thursday, and while we have not heard back before this article’s publication, the company formally disclosed a security breach today, confirming the authenticity of the emails it’s been sending to registered users for the past few days.
Hacker used an SQL injection to get in
According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.
Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.
Freepik didn’t say when the breach took place, or when it found out about it. However, the company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.
Millions of password hashes were pilfered
As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.
The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.
“For the remaining 3.77M users the attacker got their email address and a hash of their password,” the company added. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”
In the process of notifying users
The company said it’s now in the process of notifying all impacted users with customized emails, depending on what was taken. These emails are going out to Freepik and Flaticon users, depending on what service users had registered on. Below are some of these messages, as we received from our readers.
“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik said. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”
Freepik is one of today’s most popular sites on the internet, currently ranked #97 on the Alexa Top 100 sites list. Flaticon is not far behind, ranked #668.
When EQT acquired the Freepik Company at the end of May this year, the company claimed the Freepik service has a community of more than 20 million registered users.
Users registered on Slidesgo, another of the Freepik Company’s websites, don’t appear to have been impacted.