UPDATED 22:42 EDT / AUGUST 24 2020

SECURITY

8.3M records of Freepik and Flaticon users stolen in SQL injection attack

Data relating to 8.3 million users of stock-image sites Freepik and Flaticon, both owned by Freepik Co. S.L., have been stolen through an SQL injection attack.

The data stolen included the email addresses of users along with 3.77 million hashed passwords. Some 3.55 million of those passwords were encrypted with bcrypt, making them highly difficult but not impossible to crack, while 229,000 were salted MD5, an older encryption standard that can be easily decrypted. All users with the latter have had their passwords reset and affected users were sent an email encouraging them to change their password if it was used on another site.

Freepik did not detail when the attack and theft of data took place, saying only that it involved an SQL injection in Flaticon that gave the attacker access to information from their database. An SQL injection is a code injection technique in which an attacker inserts malicious code into an SQL backend database to allow manipulation of the database, including the theft of stored data.

“In light of disastrous breaches of this year, this would be a fairly banal incident, but the reportedly hacked resource is used by a huge number of webmasters and programmers,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “Commonly, they have privileged, or even unlimited, access to the web applications and databases of their customers. Thus, cybercriminals will likely initiate large-scale password reuse attacks and phishing campaigns targeting careless and inattentive software developers.”

Given how many small law firms, financial and tax advisors entrust their data to these future victims, he added, there could be a spike in sophisticated, chained intrusions into large companies via law firms and other outside advisers.

Thomas Hatch, chief technology officer and co-founder at IT automation software firm SaltStack Inc., noted that “SQL injection is still a serious attack vector and one that I don’t see going away anytime soon. This is a classic case of developer error — it is an easy mistake to make. Not sanitizing input fields for APIs has been and will continue to be a problem for developers.”

Image: Freepik

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.