Stock photo company Freepik recently revealed that hackers stole the data of 8.3 million users on two of its marketplace websites, said Digital Information World. Stolen info is the email address and password hashes.
Freepik owns two stock photo marketplace websites namely Freepik and Flaticon, both of which are considered two of the most popular sites on the internet, ranking 97 and 668 on the Alexa Top 100 sites list. Both were compromised in an SQL injection hack.
The hacker injected an SQL in Flaticon, which allowed them to access the compromised details, specifically, email addresses and password hashes of the oldest 8.3 million accounts.
Digital Information World explained that hashes are not the password itself. Instead, they are encryptions of passwords, which means that they cannot be used to sign in to accounts.
Out of the 8.3 million account owners, 4.5 million only had their email addresses leaked. The 4.5 million users used “federated logins” through Facebook, Twitter, or Google as a way to sign into their accounts. These account owners were informed, but no special action was recommended.
The remaining 3.77 account owners had both email addresses and hashes stolen. A huge portion of this (3.55 million) was hacked using the bcrypt method, while the attackers MD5 salted the hashes of the rest (229,000 users).
Users were informed of the hack through an email urging them to change their passwords. The company told the 229,000 users, “We got a security incident and we have identified that your email address has been accessed together with your password in an encrypted form (hashed).”
Meanwhile, the 3.55M account owners whose hashes were obtained using bcrypt were told to change their login credentials.
The official statement released by Freepik did not specify the date of the breach or when they became aware of the incident. It did say, however, that the firm immediately got in touch with the authorities. The company investigated the incident and updated all users’ password hashes.
ZDNet noted that “the company made it official after users started grumbling on social media [last week] about receiving shady-looking breach notification emails.” The outlet contacted Freepik but did not receive any response. Instead, the company released its official statement.
Emails sent to affected users informed them that the company “proactively disabled your current password.” It reminded account owners not to use the same passwords on different sites “to prevent any risks.”