Imgur confirms breach, 1.7 million users affected

Popular image hosting website Imgur has announced on Friday that hackers stole usernames and passwords of 1.7 million of its users. The breach dates back to 2014, when Imgur still encrypted the stored passwords with the SHA-256 algorithm, which has since been found too weak to withstand brute forcing.

Imgur breach

The company made sure to note that the compromised account information included only email addresses and passwords, as they’ve never asked for users’ real names, addresses, phone numbers, or other personally-identifying information.

Discovery of the breach

“On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users,” Roy Sehgal, Imgur’s Chief Operating Officer, explained.

The researcher in question is Troy Hunt, who runs the Have I Been Pwned service.

Despite it being Thanksgiving in the US, where the company is based, they quickly mounted an investigation to validate that the data Hunt sent them belonged to Imgur users and, when they established that it does, they begun notifying affected users via their registered email address the next day.

They also reset their passwords, and advised them to choose a new, unique, and strong one.

Company reaction

“We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you,” Sehgal concluded.

Hunt has praised Imgur’s quick reaction and handling of the disclosure of the breach, although some users will surely be miffed by the fact that the breach happened and they never noticed.

Unfortunately, data breaches like this one have become the new normal.

Imgur says they’ve switched to scrambling user passwords with bcrypt last year. And, according to Hunt, 60 percent of the stolen email addresses were already in Have I Been Pwned’s database (i.e. they’ve already been compromised in previous breaches).