Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed today a major security breach.

Freepik says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.

The threat actors behind the Freepik security breach were able to steal the oldest 8.3M users’ emails and password hashes, where available.

“To clarify, the hash of the password is not the password, and can not be used to log into your account,” Freepik added.

According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.

Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.

Freepik didn’t say when the breach took place, or when it found out about it. However, the company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.


As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.

The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.

LastPass Says 12-Hour Outage Caused by Bad Chrome Extension Update

“For the remaining 3.77M users the attacker got their email address and a hash of their password,” the company added. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”

Buy Me A Coffee

“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik said. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”

If you want to check if your credentials have been compromised in a data breach you can use Have I Been Pwned, a huge database of accounts leaked after hundreds of site breaches.