Home / Early Warning / Cybersecurity Highlights / Freepik Company suffers credential theft due to SQL injection

Freepik Company suffers credential theft due to SQL injection

08/21/2020

Freepik Company, a company oriented to the search and purchase and sale of resources for designers such as photographs, icons or PSD templates, has suffered a security incident that affected its Freepik and Flaticon projects, as published in an official statement.

The security incident originated due to an SQL injection in Flaticon, which allowed an attacker to obtain certain information from the users of its database. Forensic analysis determined that an attacker extracted the email and, when available, the password hash of the 8.3 million of its oldest users.

Of the total affected, the hash of 3.55 million who used the bcrypt method has been updated, and the passwords of 229,000 users who used MD5 in their passwords were forced to reset.