Emails and Passwords of Millions of Flaticon and Freepik Users Have Been Exposed

Freepik Data Breach

You can learn a lot about a company's attitude towards security in the wake of a data breach. You can see how it handled it in the past, how it's dealing with it at the moment, and how far in the future it casts its gaze. Sadly, companies get breached virtually every day, and we've got plenty of examples that help us compare and contrast the different reactions from different organizations. Freepik, the company behind Freepik and Flaticon, is the latest online service to disclose a cybersecurity incident, and we'll now see what sort of conclusions we can draw from the event.

Hackers steal information about 8.3 million users from Freepik

The announcement came out on Saturday, and it has already been emailed to all affected users. According to it, hackers breached the Flaticon website and got their hands on a database containing records about the first 8.3 million accounts registered at and 4.5 million of the records contained only email addresses because the account owners had used their Facebook, Twitter, or Google profiles to sign in. In the remaining 3.77 million records, the hackers also found password hashes. Two hundred twenty-nine thousand of the affected passwords were hashed and salted with MD5, and the rest were protected by bcrypt.

Freepik made some mistakes in the past

It's now obvious that when you create an account at one of Freepik's websites, you automatically create an account at the other one as well, but when you check out the registration forms, you'll see that this is not made abundantly clear, which is a mistake. Sadly, it's not the only one.

We can deduce from the statement that at the very beginning, Freepik was hashing users' passwords with MD5, an algorithm that is trivially easy to crack these days. Apparently, as the platforms' popularity grew, the company realized that it needs to improve its security, and it switched to bcrypt. For this, it deserves a pat on the back. Freepik didn't think about protecting the owners of the first 229 thousand accounts, however, and this is not a good thing.

Neither is the fact that the hackers broke in using an SQL injection. These attacks are considered fairly old now, and protecting your website against them isn't really that difficult. In fact, some experts go as far as saying that being vulnerable to SQL injections in 2020 is completely unacceptable.

In terms of disclosure, Freepik did much better than the many data breach victims that try to downplay the incident. This time, we have a clear understanding of what happened exactly and what affected users need to do. The only problem we can find with Freepik's disclosure is the fact that it didn't state when the breach happened exactly.

Freepik will hopefully try to do better in the future

The damage associated with data breaches is inevitable, but if a company really wants to save its face, it needs to show users that it has realized what happened and has learned its lessons. Freepik has done rather well in that respect.

The leaked passwords that were hashed with MD5 have been reset and are no longer active. Users were informed about it and are urged to pick new, strong passwords. Those whose credentials were hashed with bcrypt are also made aware of the incident, and they are advised to change their passwords out of an abundance of caution. Freepik also sent emails to the users who signed up with their social media accounts. They should be on the lookout for suspicious emails and potential phishing attacks.

More importantly, Freepik says that it's putting measures in place to ensure that from now on, the hackers won't be able to break in that easily. Hopefully, they will work.

August 25, 2020

Leave a Reply