Freepik reveals that the attack took place due to a SQL injection in Flaticon.
Just a few days ago, Experian announced suffering a data breach affecting 24 million customers. Now, Freepik, a popular platform for designers offering free graphic resources has announced that it has suffered a massive data breach affecting users on Freepik.com and Flaticon.com.
For your information, Flaticon claims to be the largest database of free icons and is owned by Freepik company. According to the statement, Freepik has revealed that a hacker managed to exploit an SQL vulnerability stealing 8.3 million records from both platforms collectively.
The data stolen in the breach includes email addresses and password hashes. However, for some users, the compromised data only includes email or social media tokens used for login on both sites. For instance, Freepik explained in its statement that;
Out of these 8.3M users, 4.5M had no hashed password because they used exclusively federated logins (with Google, Facebook and/or Twitter), and the only data the attacker obtained from these users was their email address.
For the remaining 3.77M users the attacker got their email address and a hash of their password. For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.
Although the company has informed affected users it is still advised to change your password on both websites and any other platform where you signed up with the same login credentials.
Moreover, don’t be surprised if Freepik and Flaticon’s database showed up on a dark web market for sale or leaked online on some hacker forum.
It is worth noting that previously, online graphic-design tool Canva also suffered a data breach in which 139 million accounts were stolen and leaked online. Recently, a hacker going by the online handle of Shiny Hunters leaked dozens of databases stolen from prominent companies including:
WattPad – 271 million accounts leaked
Dunzo – 11GB worth of data leaked
Dave.com – 7 million accounts leaked
Bhinneka – 1 million+ accounts leaked
Minted – 5 million accounts leaked
ProctorU – 444,267 accounts leaked
Tokopedia – 91 million accounts leaked
Couchsurfing – 17 million accounts leaked
Therefore, keep an eye on your account and secure it with 2FA.