8.3m Freepik users exposed in recent data breach

24 Aug 2020

Image: © Pixel-Shot/Stock.adobe.com

Email addresses and password hashes were accessed in a recent breach affecting some of the oldest users on Freepik’s image sharing platform.

Freepik, a popular website that provides access to free stock photos and design graphics, announced on Friday (21 August) that it had been subject to a major data breach.

In a statement, the company said that it immediately notified authorities of the breach, which is estimated to have affected 8.3m users of Freepik and its free graphic resource subsidiary Flaticon.

Freepik said that the security breach was due to a SQL injection in Flaticon that allowed an attacker to access user information from the company’s database.

The breach affected 8.3m of the company’s oldest users, whose email addresses and extracted password hashes were accessed. The hash of the password cannot be used to log into a user account, as it is not a password, but a scrambled representation of a password.

Freepik’s data breach

The company said: “Out of these 8.3m users, 4.5m had no hashed password because they used exclusively federated logins (with Google, Facebook and/or Twitter) and the only data the attacker obtained from these users was their email address.”

The remaining 3.77m users had their email addresses revealed and for 3.55m of these users, the method to hash the password used by Freepik was bcrypt, while, for the remaining 229,000 users, the method was salted MD5. The company said that it has now updated the hash of all users to bcrypt as a result of the breach.

“Those who had a password hashed with salted MD5 got their password cancelled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site,” the company said.

The company added that users whose passwords were hashed with bcrypt received an email suggesting that they change their password, especially if it was an easy-to-guess password. “Users who only had their email leaked were notified, but no special action is required from them.”

The company advised users to verify if their email addresses or passwords have been compromised by checking out HaveIBeenPwned.com.

Freepik also said that it has “greatly extended” its engagement with external security consultants and has undertaken a full review of its external and internal security measures.

“While no system is 100pc secure, this should not have happened and we apologise for this leak,” the company said.

Earlier this year, Freepik announced that it had a community of 20m registered users who are supported by the firm’s 450 in-house freelance graphic designers and external contributors.

Kelly Earley was a journalist with Silicon Republic