Imgur, one of the world’s most popular image sharing websites, has confirmed that it suffered a massive data breach affecting 1.7 million users. Back in 2014, Imgur was hacked, with the details of 1.7 million users stolen. For a long time, the breach went unnoticed, but over the last few days, Imgur has investigated what happened and disclosed the situation to users.
Currently, Imgur has over 150 million monthly users, so the number of users affected is relatively small in comparison. Email addresses and passwords were stolen during the attack, but they were protected via the SHA-256 algorithm.
The attack went unnoticed for several years, but eventually, the stolen data was passed along to Troy Hunt, who runs ‘Have I Been Pwned’. This is a website designed to inform users if their information has been stolen as part of a cyber attack on a website. After the leaked database showed up there, Imgur quickly responded with a full disclosure post for users.
In Imgur’s blog post on the matter, the company said that approximately 1.7 million accounts were compromised, with emails and passwords being taken. However, since Imgur doesn’t take any other personal information from users, that’s all hackers could get their hands on. Passwords were encrypted, but Imgur warns that they could have been cracked using a brute force method due to the use of the older SHA-256 algorithm. Imgur replaced this algorithm in 2016 with a stronger bcrypt algorithm.
Imgur will now begin notifying impacted users via their registered email address. Those users will also be required to update their password. The post ends with a recommendation that users don’t use the same email and password combination for every website and to update their passwords from time to time in order to stay secure.
KitGuru Says: Ideally, a breach like this wouldn’t have gone unnoticed for several years. Still, it is good to see Imgur stepping up and disclosing swiftly after finding out about it. If you happen to use Imgur, and your account was made prior to 2015, then you should update your password to stay on the safe side.