Imgur hacked: Personal details of 1.7 million user accounts stolen in major data breach
Security expert Troy Hunt praised the company over its swift response over the Thanksgiving weekend.
Imgur said it suffered a major data breach in 2014 that compromised the email addresses and passwords of 1.7 million user accounts. The popular photo-sharing site was alerted by Troy Hunt, security expert and creator of the data breach notification website Have I Been Pwned, of the security breach on Thursday (23 November) which happened to be Thanksgiving – a US national holiday when most businesses are closed.
The company confirmed the breach a day later and published a public disclosure notifying users of the intrusion.
"The compromised account information included only email addresses and passwords," Imgur's chief operating officer, Roy Sehgal, said in a statement. "Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information, so the information that was compromised did NOT include such PII."
Imgur said they are still investigating how the data was compromised.
"We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time," Imgur said. "We updated our algorithm to the new bcrypt algorithm last year."
Imgur users have been asked to update their passwords and not use the same one across multiple sites and applications.
"We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you," the company said.
Hunt, however, praised the company for its swift response and disclosure of the breach.
"I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!" Troy tweeted. "This is really where we're at now: people recognise that data breaches are the new normal and they're judging organisations not on the fact that they've had one, but on how they've handled it when its happened."
Hunt noted that 60% of email addresses were already in Have I Been Pwned's database.
Disclosure of the breach comes as the latest in a series of security breaches that took place years ago that have only come to light in 2017. Other companies that revealed major breaches include Yahoo, LinkedIn, Disqus, MySpace and We Heart It.
On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc
— Imgur (@imgur) November 25, 2017
Hacks are never a good thing but some cool stuff here. Awesome that @troyhunt gave them a heads up, awesome they owned and reacted right away. Not a matter of sides or blame, just good people helping out https://t.co/voFZCkNI7m
— Jeff Hollan (@jeffhollan) November 25, 2017
- MOST POPULAR IN CyberSecurity
