Imgur, one of the world’s most popular image sharing website has recently revealed that it was a victim of a major data breach that happened back in 2014, resulting in the information of 1.7 million users getting out.
Imgur was unaware of the attack and the hackers sat on the stolen data for years until a security consultant, Troy Hunt notified the company about it. He received the stolen data of Imgur on his data breach notification service site “Have I Been Pwned”.
On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc
— Imgur (@imgur) November 25, 2017
Imgur first admitted about the attack in a blog post and confirmed that their users’ data was stolen and disclosed the breach in almost a single day. The company was notified about it on this Thanksgiving Holiday and sorted the things out by Friday.
Troy Hunt was very impressed by the quick response and speed with which Imgur acknowledged the whole matter. He praised the company’s effort by tweeting:
“I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!”
He further added:
“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one, but on how they’ve handled it when its happened”
Imgur suspects that the attack happened because of their old and weak security algorithm SHA-256 which can be cracked with a Brute Force attack. However, last year they switched their algorithm to bcrypt which is a much secure password scrambler. Roughly 1.7 million accounts were hacked but no personal information was compromised as the website never asked for real names, addresses, phone numbers, or other personally-identifying information.
There are total 150 million monthly Imgur users, which means only a very small percentage of the accounts were hacked. If your account was hacked you must have received an email about it. Still, anyone who uses the Imgur should update their passwords.
The Imgur Chief Operating Officer (COO) Roy Sehgal will be disclosing the data breach to the state’s attorney general, law enforcement, and other relevant government agencies. He has also apologized and said his company was conducting a review of the situation.
Data breach attacks are becoming common these days, recently Uber also admitted about last year’s data breach of its 57 million customers. Sadly we can not do anything about it except for setting a strong and unique password.