Free photographs, graphics web site Freepik discloses information breach impacting 8.3m customers
Freepik, an internet site devoted to offering entry to high-quality free photographs and design graphics, has disclosed in the present day a serious safety breach.
The corporate made it official after customers began grumbling on social media this week about receiving shady-looking breach notification emails of their inboxes.
ZDNet reached out to the Freepik Firm on Thursday, and whereas we now have not heard again earlier than this text’s publication, the corporate formally disclosed a safety breach in the present day, confirming the authenticity of the emails it has been sending to registered customers for the previous few days.
Hacker used an SQL injection to get in
Based on the corporate’s official assertion, the safety breach occurred after a hacker (or hackers) used an SQL injection vulnerability to achieve entry to considered one of its databases storing consumer information.
Freepik stated the hacker obtained usernames and passwords for the oldest 8.Three million customers registered on its Freepik and Flaticon web sites.
Freepik did not say when the breach occurred, or when it discovered about it. Nonetheless, the corporate says it notified authorities as quickly because it discovered of the incident, and commenced investigating the breach, and what the hacker had accessed.
Hundreds of thousands of password hashes had been pilfered
As for what was taken, Freepik stated that not all customers had passwords related to their accounts, and the hacker solely took consumer emails for some.
The corporate places this quantity at 4.5 million, representing customers who used federated logins (Google, Fb, or Twitter) to log into their accounts.
“For the remaining 3.77M customers the attacker received their e mail handle and a hash of their password,” the corporate added. “For 3.55M of those customers, the tactic to hash the password is bcrypt, and for the remaining 229Ok customers the tactic was salted MD5. Since then we now have up to date the hash of all customers to bcrypt.”
Within the means of notifying customers
The corporate stated it is now within the means of notifying all impacted customers with custom-made emails, relying on what was taken. These emails are going out to Freepik and Flaticon customers, relying on what service customers had registered on. Under are a few of these messages, as we obtained from our readers.
“Those that had a password hashed with salted MD5 received their password canceled and have obtained an e mail to induce them to decide on a brand new password and to vary their password if it was shared with every other web site (a follow that’s strongly discouraged),” Freepik stated. “Customers who received their password hashed with bcrypt obtained an e mail suggesting them to vary their password, particularly if it was a simple to guess password. Customers who solely had their e mail leaked had been notified, however no particular motion is required from them.”
Freepik is considered one of in the present day’s hottest websites on the web, presently ranked #97 on the Alexa High 100 websites record. Flaticon shouldn’t be far behind, ranked #668.
When EQT acquired the Freepik Firm on the finish of Could this yr, the corporate claimed the Freepik service has a group of greater than 20 million registered customers.
Customers registered on Slidesgo, one other of the Freepik Firm’s web sites, do not seem to have been impacted.