Freepik, a website that provides access to high-quality free photos and design graphics, has revealed about a major security breach.
The company disclosed the breach details when users started complaining on social media about getting suspicious breach notification emails in their inboxes.
The company confirmed about the authenticity of the emails they have been sending to registered users for the past few days.
As per the official statement by the company, the security breach happened when the threat actors used an SQL injection vulnerability to attain access to one of its databases storing user data.
The hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.
However, the company did not state when the breach took place, or when they discovered the breach. But they have notified authorities as soon as they became aware of the incident, and began investigating the breach, and what the hacker had accessed.
Freepik stated that all the users did not have passwords associated with their accounts, and the hacker only accessed user emails for some.
The number of such users comes to around 4.5 million, who used federated logins (Google, Facebook, or Twitter) to log into their accounts.
The hacker got the email address and hashed passwords of the remaining 3.77M users. Out of these, the password of 3.55M users has been hashed using bcrypt, and for the remaining 229K users, the method was salted MD5. The company has updated the hash of all users to bcrypt.
The company has started notifying all the affected users with customized emails, depending on what was taken. These emails are sent to the Freepik and Flaticon users, depending on what service users had registered on.
Freepik is one of the most popular sites today and its service has a community of more than 20 million registered users.
Image Credits : Freepik