Imgur is a popular online image sharing community recently they issued a notice on their data breach dating back to 2014 affecting the email addresses and passwords of 1.7 million user accounts.
The stolen accounts represent a fraction of Imgur’s 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company; soon they started resetting the passwords of affected accounts, and published an official notice alerting users of the breach.
Roy Sehgal, Chief Operating Officer of Imgur said “we confirm that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”
He further added “We are still investigating how the account information was compromised. We have always encrypted user’s password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.’
According to Hunt, 60 percent of email addresses were already in Have I Been Pwned’s database of more than 4.8 billion records.
Company said they already started notifying impacted users via their registered email address. They asked their users to immediately update their password and recommend using a different combination of email and password for every site and application.
Imgur hack is latest historical hack from a long list of companies that had security breaches that took place years ago but have only come to light in 2017. Other companies included Yahoo, Uber, LinkedIn, Disqus, and MySpace.
Hunt praised the company for its swift response to the breach notification and disclosure of the data breach.
“I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!” Hunt tweeted.
“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organizations not on the fact that they’ve had one, but on how they’ve handled it when it happened.”