Cybersecurity specialists reported a security incident in Freepik and Flaticon that resulted in the exposure of users’ personal information. According to a statement issued by the website, the data breach was the result of a SQL injection into Flaticon, allowing threat actors to access the compromised resources.
In its report of the incident, Freepik states that the authorities were notified immediately after the detection, further detailing that forensic analysis determined that threat actors extracted the email addresses of at least 8.3 million users, in addition to about 4 million encrypted passwords. It should be remembered that an encrypted password cannot be used to access a compromised account.
Because half of affected users log in to Freepik via Facebook, Google or Twitter, only their email addresses were compromised.
As a security measure, the website forced a massive password reset, prompting users to change their access key via email. Freepik also recommends changing passwords used on other websites to avoid other attack variants such as credential stuffing.
With regard to users whose email has been compromised, the company mentions that no additional actions are required. However, cybersecurity specialists recommend that affected users remain alert to any attempted scam via email, also known as phishing attack. In addition, any user of the compromised platform can verify whether their email or password has been compromised in any leaks on the specialized website Have I Been Pwned.
Freepik concluded its message by ensuring that your team constantly reviews any information related to security incidents and data breaches, as well as immediately implementing any security mechanisms related to email addresses, passwords and personal data.
The company has increased its security investment, building collaboration with external specialists and implementing a comprehensive review of its security mechanisms in order to mitigate the risk arising from this incident and preventing further incidents from occurring in the future.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.