![]() However, cybersecurity specialists recommend that affected users remain alert to any attempted scam via email, also known as phishing attack. With regard to users whose email has been compromised, the company mentions that no additional actions are required. Freepik also recommends changing passwords used on other websites to avoid other attack variants such as credential stuffing. That’s because some app developers make the error of not sanitizing input fields for APIs, opening the door to such attacks.As a security measure, the website forced a massive password reset, prompting users to change their access key via email. "SQL injection is still a serious attack vector and one that I don’t see going away anytime soon,” Hatch says. SQL injection attacks take advantage of a code error that is specific to an app, making them difficult to detect, says Thomas Hatch, CTO and co-founder at software developer SaltStack. Based on 868 breaches in 2019, the success rate of SQL injection was around 4%, or 34 organizations suffered a breach," McQuiggan notes.Ĭody Beers, technical training manager at WhiteHat Security, says SQL injection vulnerabilities are still present in about 10% of all web applications, which creates an extremely large landscape for potential attacks. "It's one of the oldest exploits used today, and according to the 2020 Verizon Data Breach Incident Report, it shares the title of most common attack vector against websites with PHP injection. An Old ExploitĪs indicated by its top position on OWASP's Top 10 Web Application Security Risks, SQL injection is among the first methods cybercriminals try when attempting to breach a website, although its success rate is rather low, says James McQuiggan, security awareness advocate with cybersecurity firm KnowBe4. That's why they urge organizations to instead use a dedicated hashing algorithm such as bcrypt (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).įreepik is working with an outside security firm to conduct a full review of its external and internal security practices. ![]() Security experts say hashing passwords using MD5 or SHA-1 is inadequate because the hashed passwords can be relatively easily reversed by attackers to recover users' passwords. “Users who only had their email leaked were notified, but no special action is required from them," Freepik says. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password,” Freepik says. After the breach, the company says it updated the hash of all users to bcrypt. Of the 3.7 million hashed passwords that were accessed, 3.55 million were hashed using bcrypt, and 229,000 were hashed using MD5. Due to both of these factors, SQL injection is a much more rare vulnerability in the modern appsec landscape." The Data Breach Numbersįreepik says the SQL injection attack targeted Flaticon, enabling access to a database. “There are some edge cases where these protections do not apply, but simple input validation against an expected list of values is all that's required to mitigate them. "Modern frameworks, when properly utilized, almost completely remove SQL injection as a vulnerability,” he says. See Also: OnDemand | API Protection – The Strategy of Protecting Your APIsįalling victim to an SQL injection attack likely indicates the company’s system was old or not kept up to date, says Jonn Callahan, principal application security consultant at the security firm nVisium. says an SQL injection attack led to the leak of 8.3 million email addresses and 3.7 million hashed passwords for users of its Freepik graphic resources app and Flaticon icon database platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |