Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Freepik Discloses Data Breach Impacting 8.3 Million Users

Freepik Company, the organization behind the Freepik and Flaticon websites, has disclosed a data breach that impacted approximately 8.3 million of their users.

Freepik Company, the organization behind the Freepik and Flaticon websites, has disclosed a data breach that impacted approximately 8.3 million of their users.

Freepik is a search engine that provides users with access to high-quality graphics resources, including images, vectors, illustrations, and the like. On Flaticon, users can find over 3 million vector icons in various file formats.

The attackers, Freepik Company explains, exploited an SQL injection vulnerability in Flaticon, which allowed them to access user information.

“[I]n our forensic analysis, we determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users. To clarify, the hash of the password is not the password, and cannot be used to log into your account,” the company announced.

The company reveals that for 4.5 million of the affected users no hashed password was leaked, because federated logins (with Google, Facebook and/or Twitter) were used, exclusively. For these users, only the email address was leaked.

For 3.77 million users, both the email address and a hash of the password were leaked. 3.55 million of these passwords were hashed using bcrypt, while for the remaining 229,000 salted MD5 was used.

Freepik says that it has since updated the hash for all user passwords to bcrypt, and that those who had a password hashed with salted MD5 have been prompted to reset it.

Advertisement. Scroll to continue reading.

“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them,” the company announced.

Freepik also added that it is regularly scanning the passwords and emails that have been leaked on the Internet to identify those that match credentials of Freepik and Flaticon users, and that it disables any passwords found to have been leaked, while also notifying the affected users.

“Due to this incident, we have greatly extended our engagement with external security consultants and did a full review with a first-class agency of our external and internal security measures. We took some important short term measures to increase our security and have planned medium and long term extra security measures,” the company revealed.

Related: SANS Institute Says 28,000 User Records Exposed in Email Breach

Related: Video Creation Service Discloses Data Breach

Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users

Related: San Francisco Employees’ Retirement System Discloses Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...