- Imgur was informed of the breach last week
- The breach occured back in 2014
- It announced the breach within a day of disclosure
Image sharing website Imgur has revealed that it had suffered a data breach in 2014, one that was only revealed to it last week by data breach expert Troy Hunt, the man behind the Have I Been Pwned website. The hack saw roughly 1.7 million email addresses and passwords leaked, encrypted with the now dated SHA-256 algorithm.
Imgur publicly announced the data breach on Friday, just a day after Hunt disclosed the breach to the site. Hunt claims 60 percent of the email addresses and cracked passwords were already present in the Have I Been Pwned database – indicating they’d been leaked before from other breaches. Hunt praisedthe speed with which Imgur responded to his disclosure, and impacted users were immediately informed and asked to update their passwords after the leaked data was verified as belonging to Imgur users.
Elaborating on the data breach in a blog post, Roy Sehgal, Chief Operating Officer at Imgur says the leaked email addresses and passwords were probably cracked by brute force thanks to the now dated nature of the SHA-256 hashing algorithm used by the website at the time. Sehgal adds that Imgur now uses the bcrypt algorithm to encrypt user data.
Sehgal also says none of the leaked email addresses and passwords were tied to any personally identifiable information, as Imgur has never asked for “real names, addresses, phone numbers”. The site is now conducting an internal security review of its systems and processes to prevent such a reoccurrence, and apologises to users. Users are recommended to use different combinations of emails and passwords on different sites and applications, to prevent one leak from providing access to all your information.
In an email to ZDNet, Sehgal also revealed that Imgur intends to disclose the data breach to the concerned authorities, including California’s attorney general. Of course, the news of the Imgur data breach follows a much bigger one from last week – that of 57 million Uber accounts. A vital difference between the two breaches is that Uber kept its knowledge of the breach hidden for a year.