Imgur sent out a notification on November 24 announcing that they discovered a data breach that occurred in 2014. The photo-sharing website claims that it was notified by a data researcher late on November 23 that there was a data breach of about 1.7 million accounts in 2014 that remained undetected until now. The company says that it is actively investigating how this incident happened and wanted to inform the users as quickly as possible.
On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc
— Imgur (@imgur) November 25, 2017
Imgur for the uninitiated is an online image sharing community that was founded by Alan Schaaf in the year 2009.
The website failed to realize that a hack had happened for almost four years until the stolen data was sent to security consultant Troy Hunt. Troy Hunt who runs data breach notification service Have I Been Pwned, was the one to notify Imgur Chief Operating Officer of the breach on Thanksgiving and he says the company took immediate action. The CEO/founder and vice president of engineering were immediately informed and necessary actions were taken.
“I disclosed this incident to Imgur late in the day in the midst of the U.S. Thanksgiving holidays,” Hunt said. “That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.”
Imgur says that the compromised account information included only email addresses and passwords. Since Imgur never asked its users to reveal their personal details like name, addresses, phone number and other personal information, these were safe. And the stolen accounts are only a fraction of the monthly 150 million users that the website gets.
As for the reason why this happened in the first place, Chief Operation Officer Roy Sehgal said in the statement that the company is still investigating. He says that the company has always encrypted the passwords of the users in their database. But it was possibly cracked using brute force algorithm during the time the company was using an older hashing algorithm (SHA-256). He appraises that they have updated their algorithm to the new bcrypt algorithm last year.
Following the revelation, the company began notifying impacted users, from the morning of November 24th via the registered email address. It has asked users to immediately update their passwords.
Read more: Here’s why ‘KRACK Attack’ is a big deal
Imgur has even put out some dos and don’ts for users in a release and has asked them to use a different combination of email and password for every site and application. And always use strong passwords while changing them regularly.
According to ZDNet, Hunt has said that almost 60 percent of the email addresses that were leaked in the hack were already in Have I Been Pwned’s database that contains more than 4.8 billion records.
Security breaches have been on the rise lately. Imgur hack is definitely not the first but is surely one of the biggest given that over 1.7 million accounts were affected. Cab-hailing app, Uber, had also suffered a security breach last year in October. Uber revealed to the public that data of 57 million users were compromised in a hack. Unlike Imgur, Uber actually knew about the hack since it happened and had withheld the information. Even the new CEO, Dara Khosrowshahi, knew about the hack months prior to when it was made public.