Imgur was hacked and the attacker made off with 1.7 million email addresses and passwords. But the hacker sat on the stolen data for years; it allegedly wasn’t until security researcher Troy Hunt received the data that Imgur even knew it was hacked back in 2014.
While it isn’t impressive that the company was hacked, Imgur’s response was “exemplary” according to Hunt. Unlike Uber, which knew it was hacked in 2016, paid hush money to the hackers and tried to keep the hack a secret, Imgur confirmed that users’ data was stolen and disclosed the breach in a little more than one day. And the day the company was notified happened to be Thanksgiving, a day when most U.S. businesses are closed for the holiday.
The stolen Imgur data was sent to Hunt, who runs the data breach notification site Have I Been Pwned. Hunt notified Imgur on Thanksgiving, Nov. 23, and the company began validating that the data belonged to Imgur users. By the morning of Black Friday, Nov. 24, Imgur confirmed “that approximately 1.7 million Imgur user accounts were compromised in 2014.” Imgur tweeted about the breach on Friday and its notice of the data breach was disclosed on the same day.
Imgur noted that the breach included email addresses and passwords for about 1.7 million users. At the time of the breach, Imgur said it used the hashing algorithm SHA-256 which may have been cracked with brute force. Last year, Imgur moved to the bcrypt algorithm. Even though the hack occurred years ago, Imgur is “actively investigating the intrusion.”
Imgur noted that the breach included email addresses and passwords for about 1.7 million users. At the time of the breach, Imgur said it used the hashing algorithm SHA-256 which may have been cracked with brute force. Last year, Imgur moved to the bcrypt algorithm. Even though the hack occurred years ago, Imgur is “actively investigating the intrusion.”
The company said the stolen account information did not include users’ personally-identifying information (PII), since “Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information.”
Imgur contacted the 1.7 million users impacted in this breach via their registered email; those users are required to update their passwords.
Hunt said that 60 percent of the “1.7 million records with email addresses and cracked passwords” from the Imgur hack were already listed in Have I Been Pwned.
Imgur Chief Operating Officer (COO) Roy Sehgal thanked Hunt for alerting the company to the breach.