Freepik reported that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.
Freepik is one of the largest online graphic resources sites in the world; together Freepik and the Flaticon database platform total 18 million monthly unique users, 50 million monthly views, and 100 million monthly downloads.
This latest breach of Freepik is believed to have started with an attack using SQL Injection to gain access to users emails and hashed passwords. SQL Injection is a web application threat that’s been a significant concern since the inception of the OWASP Top 10 list in 2003, so it\’s troubling that SQL Injection continues to be one of the most exploited vulnerabilities. An estimated 25% of breaches last year started with an SQL Injection attack.
Organizations need to take action to better protect themselves against SQL vulnerabilities: 1) implement better coding practices to prevent SQL Injection; 2)run better tests for SQL Injection vulnerabilities before code makes it to production; and 3)make sure they have protection against SQL Injection attacks during runtime.