Logo Logo
  • Home
  • Modshield SB
  • services
    • Application Security Testing
    • Infrastructure Security Testing
    • IoT Security Testing
    • Testing for Compliance
    • Red Team Exercise
    • Performance Testing
  • Training
    • Cybersecurity Awareness Program
    • Secure Development – Web
    • Secure Development – Mobile
  • Resource
    • Blog
    • CyberNews
  • About
    • Partners
    • Contact

How an application firewall like Modshield SB could have saved the day

  • Home
  • Blog Details
September 2 2020
  • Blog


Freepik, a top-100 Alexa ranked popular website that provides access to free stock photos and design graphics, announced on Friday (21 August) that it had been subject to a major data breach due to a SQL injection vulnerability.
In a statement released by the company, it is said that they immediately notified authorities of the breach, which is estimated to have affected 8.3m users of Freepik and its free graphic resource subsidiary Flaticon.
Freepik said that the security breach was due to a SQL injection in Flaticon that allowed an attacker to access user information from the company’s database.
The breach affected 8.3m of the company’s oldest users, whose email addresses and extracted password hashes were accessed. The hash of the password cannot be used to log into a user account on it’s own, as it is not a password, but a scrambled representation of a password. But it certainly aids an attacker to crack the passwords more efficiently
Freepik’s data breach
The company said that out of 8.3m affected users, 4.5M had no hashed password because they used exclusively one or more federated login methods (with Google, Facebook and/or Twitter) and the only data the attacker obtained during this attack was their email address.
The remaining 3.77M users affected by this breach had their email addresses revealed and for 3.55M of these users, their password was encrypted by using a modern algorithm, bcrypt. The password information of the remaining 229,000 users, however, was salted using an obsolete MD5 algorithm. The company said that it has now updated the hash of all users to the latest bcrypt algorithm as a result of the breach.
The company took initiatives to protect its users by revoking the passwords of those using the obsolete algorithm and have sent an email urging them to choose a new password and to change their password immediately if it was shared with any other site.
The company also added that users whose passwords were hashed with bcrypt received an email suggesting that they change their password, especially if it was an easy-to-guess password. Users who only had their email leaked, were notified promptly, since the impact was relatively lower and no special action is required from them.
“While no system is 100% secure, this should not have happened and we apologise for this leak,” the company said.
While incidents like these are truly tragic and puts the reputation of the affected company on the line, it is worth noting that the same types of attack could have been prevented easily by using an efficient Web Application Firewall(WAF) such as Modshield SB which includes the most popular Modsecurity and OWASP Core Rule Set effectively preventing against a host of attacks highlighted by the OWASP top 10 threat vectors.
Modshield SB combines the power of Modsecurity and OWASP Core Ruleset with an easy to use, east to implement interface, fantastic dashboards for compliance reports and a built-in load balancer.
Modshield SB is threat aware, being fed by continuous threat intelligence feeds to address the latest threats out in the landscape.
Modshield SB also provides application owners to implement access controls using a series of whitelists and blacklist for IP addresses and geographies.
Modshield SB offer a DLP option which matches application server’s responses to standard patterns of sensitive information and blocks the responses when a predefined format is encountered

Previous Post Next Post

Leave a Comment

Recent Posts

  • What is compliance and why do you need it?
  • OWASP WAF – Web Application Firewall
  • Top Cyber News April Week 3
  • Top Cyber News April Week 2
  • Data security in cloud computing

Recent Comments

  1. Computer Network Assignment Help on What is White Box Testing?
  2. Vishnu on IEC 62443 – Cybersecurity for Industrial Automation and Control Systems

Archives

  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • June 2020

Categories

  • Blog
  • CyberNews
  • WAF
© Copyright 2020. Anada WordPres Theme By WordPressRiver
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}