Data relating to 8.3 million users of stock-image sites Freepik and Flaticon, both owned by Freepik Co. S.L., have been stolen through an SQL injection attack.

The data stolen included the email addresses of users along with 3.77 million hashed passwords. Some 3.55 million of those passwords were encrypted with bcrypt, making them highly difficult but not impossible to crack, while 229,000 were salted MD5, an older encryption standard that can be easily decrypted. All users with the latter have had their passwords reset and affected users were sent an email encouraging them to change their password if it was used on another site.

Freepik did not detail when the attack and theft of data took place, saying only that it involved an SQL injection in Flaticon that gave the attacker access to information from their database. An SQL injection is a code injection technique in which an attacker inserts malicious code into an SQL backend database to allow manipulation of the database, including the theft of stored data.

“In light of disastrous breaches of this year, this would be a fairly banal incident, but the reportedly hacked resource is used by a huge number of webmasters and programmers,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “Commonly, they have privileged, or even unlimited, access to the web applications and databases of their customers. Thus, cybercriminals will likely initiate large-scale password reuse attacks and phishing campaigns targeting careless and inattentive software developers.”

Given how many small law firms, financial and tax advisors entrust their data to these future victims, he added, there could be a spike in sophisticated, chained intrusions into large companies via law firms and other outside advisers.

Thomas Hatch, chief technology officer and co-founder at IT automation software firm SaltStack Inc., noted that “SQL injection is still a serious attack vector and one that I don’t see going away anytime soon. This is a classic case of developer error — it is an easy mistake to make. Not sanitizing input fields for APIs has been and will continue to be a problem for developers.”

Image: Freepik