Millions of Email Addresses, Hashed Passwords Leaked
Freepik Co. says an SQL injection attack led to the leak of 8.3 million email addresses and 3.7 million hashed passwords for users of its Freepik graphic resources app and Flaticon icon database platform.
Falling victim to an SQL injection attack likely indicates the company’s system was old or not kept up to date, says Jonn Callahan, principal application security consultant at the security firm nVisium.
“Modern frameworks, when properly utilized, almost completely remove SQL injection as a vulnerability,” he says. “There are some edge cases where these protections do not apply, but simple input validation against an expected list of values is all that’s required to mitigate them. Due to both of these factors, SQL injection is a much more rare vulnerability in the modern appsec landscape.”
The Data Breach Numbers
Freepik says the SQL injection attack targeted Flaticon, enabling access to a database.
Of the 3.7 million hashed passwords that were accessed, 3.55 million were hashed using bcrypt, and 229,000 were hashed using MD5. After the breach, the company says it updated the hash of all users to bcrypt.
“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password,” Freepik says. “Users who only had their email [addresses] leaked were notified, but no special action is required from them,” Freepik says.
Security experts say hashing passwords using MD5 or SHA-1 is inadequate because the hashed passwords can be relatively easily reversed by attackers to recover users’ passwords. That’s why they urge organizations to instead use a dedicated hashing algorithm such as bcrypt (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).
Freepik is working with an outside security firm to conduct a full review of its external and internal security practices.
An Old Exploit
As indicated by its top position on OWASP’s Top 10 Web Application Security Risks, SQL injection is among the first methods cybercriminals try when attempting to breach a website, although its success rate is rather low, says James McQuiggan, security awareness advocate with cybersecurity firm KnowBe4.
“It’s one of the oldest exploits used today, and according to the 2020 Verizon Data Breach Incident Report, it shares the title of most common attack vector against websites with PHP injection. Based on 868 breaches in 2019, the success rate of SQL injection was around 4%, or 34 organizations suffered a breach,” McQuiggan notes.
Cody Beers, technical training manager at WhiteHat Security, says SQL injection vulnerabilities are still present in about 10% of all web applications, which creates an extremely large landscape for potential attacks.
SQL injection attacks take advantage of a code error that is specific to an app, making them difficult to detect, says Thomas Hatch, CTO and co-founder at software developer SaltStack.
“SQL injection is still a serious attack vector and one that I don’t see going away anytime soon,” Hatch says. That’s because some app developers make the error of not sanitizing input fields for APIs, opening the door to such attacks.