We Heart It hacked: Personal data of more than 8 million accounts compromised in data breach
Although the passwords were encrypted, We Heart It said the encryption algorithms used to encrypt them "are no longer secure".
We Heart It, the once-popular image-bookmarking site used by millions of teens said it suffered a data breach that compromised the data of more than eight million accounts. The company said it was alerted by Troy Hunt, security expert and founder of the data breach notification website Have I Been Pwned, of the security breach that took place "several years ago".
The compromised data included usernames, email addresses and encrypted passwords for We Heart It accounts created between 2008 and November 2013. However, the firm said there is currently no evidence or any "unauthorised logins or wrongdoing" by threat actors.
Although the passwords were encrypted, the company noted that the encryption algorithms used to encrypt them back in 2013 "are no longer secure due to advancements in computer hardware".
"Since 2013 we have made significant upgrades and improvements to our systems, security protocols, password security, and database," We Heart It said in a blog post. "Additionally, we have taken immediate action to further protect all We Heart It account passwords with additional encryption using the secure bcrypt algorithm.
"We are in the process of updating all user passwords with this additional encryption as expeditiously as possible."
The company is currently contacting all affected users via email and has advised them to change their We Heart It password if it has not been updated since 2013. It also recommended that users update their passwords on other platforms and services if they happen to use the same login credentials across different sites.
"We would like to apologise to all of our users who were affected by this breach," the We Heart It team said. "We will continue to investigate this incident, and will update this post as and if further relevant information comes to light."
According to Hunt, 55% of the email addresses compromised in the breach were already in Have I Been Pwned's database.