Cyber Incident Victim: Freepik

On August 21, 2020, Freepik disclosed a data breach impacting users of its Freepik and Flaticon platforms, which collectively served 18 million monthly unique users. Attackers executed an SQL injection attack against the Flaticon website, compromising 8.3 million records from the companies' oldest user accounts. The stolen data included email addresses and password hashes, though the specific impact varied across user groups. Approximately 4.5 million affected accounts relied exclusively on federated authentication through Google, Facebook, or Twitter, limiting the exposure to email addresses alone. For 3.55 million users, attackers obtained email addresses paired with bcrypt-hashed passwords, while another 229,000 users had emails exposed alongside MD5 salted password hashes. Freepik emphasized that password hashes could not directly compromise accounts but acknowledged the heightened risk associated with weaker hashing algorithms.

The company implemented tiered remediation measures based on the hashing method involved. All 229,000 accounts with MD5 salted hashes—deemed highly vulnerable to cracking—underwent forced password resets, with users notified to change credentials immediately. No mandatory resets occurred for the 3.55 million bcrypt-hashed accounts, though affected users received breach notifications advising updates. Freepik confirmed it had transitioned entirely to bcrypt hashing prior to the breach and engaged external security experts to audit internal and external systems following the incident. The breach exposed no financial data, authentication tokens, or direct account access credentials. Freepik directed users to third-party services like Have I Been Pwned to verify credential exposure in this or other breaches.