Freepik, a top-100 Alexa ranked popular website that provides access to free stock photos and design graphics, announced on Friday (21 August) that it had been subject to a major data breach due to a SQL injection vulnerability.

In a statement released by the company, it is said that they immediately notified authorities of the breach, which is estimated to have affected 8.3m users of Freepik and its free graphic resource subsidiary Flaticon.

Freepik said that the security breach was due to a SQL injection in Flaticon that allowed an attacker to access user information from the company’s database.

The breach affected 8.3m of the company’s oldest users, whose email addresses and extracted password hashes were accessed. The hash of the password cannot be used to log into a user account on it’s own, as it is not a password, but a scrambled representation of a password. But it certainly aids an attacker to crack the passwords more efficiently

Freepik’s data breach

The company said that out of 8.3m affected users, 4.5M had no hashed password because they used exclusively one or more federated login methods (with Google, Facebook and/or Twitter) and the only data the attacker obtained during this attack was their email address.

The remaining 3.77M users affected by this breach had their email addresses revealed and for 3.55M of these users, their password was encrypted by using a modern algorithm, bcrypt. The password information of the remaining 229,000 users, however, was salted using an obsolete MD5 algorithm. The company said that it has now updated the hash of all users to the latest bcrypt algorithm as a result of the breach.

The company took initiatives to protect its users by revoking the passwords of those using the obsolete algorithm and have sent an email urging them to choose a new password and to change their password immediately if it was shared with any other site.

The company also added that users whose passwords were hashed with bcrypt received an email suggesting that they change their password, especially if it was an easy-to-guess password. Users who only had their email leaked, were notified promptly, since the impact was relatively lower and no special action is required from them.

“While no system is 100% secure, this should not have happened and we apologise for this leak,” the company said.

While incidents like these are truly tragic and puts the reputation of the affected company on the line, it is worth noting that the same types of attack could have been prevented easily by using an efficient Web Application Firewall(WAF) such as Modshield SB which includes the most popular Modsecurity and OWASP Core Rule Set effectively preventing against a host of attacks highlighted by the OWASP top 10 threat vectors. 

Modshield SB combines the power of Modsecurity and OWASP Core Ruleset with an easy to use, east to implement interface, fantastic dashboards for compliance reports and a built-in load balancer.

Modshield SB is threat aware, being fed by continuous threat intelligence feeds to address the latest threats out in the landscape.

Modshield SB also provides application owners to implement access controls using a series of whitelists and blacklist for IP addresses and geographies.

Modshield SB offer a DLP option which matches application server’s responses to standard patterns of sensitive information and blocks the responses when a predefined format is encountered