Imgur has recently released information on a data breach, and the site claims that 1.7 million users had their email addresses and passwords compromised in the incident.
Imgur, an extremely popular photo sharing site, was recently notified of a potential breach in 2014 which compromised user email addresses and passwords. Luckily, Imgur does not ask users for any other personally-identifying information, so names, phone numbers, residential addresses, and further information were not compromised as part of the breach. The company shared further details in the notice it posted on its blog.
It’s unclear how the site was breached, as Imgur is still investigating. But it’s believed the attacker(s) used a brute force attack to crack an older hashing algorithm which was being used at the time. Imgur points out that it is now using a newer, more secure algorithm for account protection.
Security researcher Troy Hunt tipped off Imgur to the possible breach after receiving the stolen data. Hunt runs haveibeenpwned.com, a site which lets you check if one of your accounts may have been compromised in a data breach. Hunt called Imgur’s handling of the possible breach “exemplary.”
I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT
— Troy Hunt (@troyhunt) November 25, 2017
Imgur’s response looks great when compared with other recent breaches, like Equifax or the recently announced Uber breach — a report from the Wall Street Journal claims that new Uber CEO Dara Khosrowshahi actually learned about the breach in September, but no announcement was made until last week.
Although no personally-identifiying information was revealed in the Imgur hack, that doesn’t mean it’s harmless. Compromised email addresses often point to real names, and some Imgur users may have used their Imgur passwords on other sites, which would make them more vulnerable.
The hack is a reminder to change passwords frequently, and to use different passwords for every site. Our article Five Simple Ways To Improve Your Cybersecurity points out the latter tip, and a few more as well.