Image-sharing website named Imgur has confirmed that the emails and passwords of 1.7 million users were compromised in 2014. According to Imgur, the breach didn’t include personal information because the site has “never asked” for real names, addresses, or phone numbers.
The hack occurred in 2014, Imgur says it only came to light on November 23 — when it was contacted by a security researcher, Troy Hunt, who had been sent the stolen data as a consequence of running the haveibeenpwned data breach notification service.
Roy Sehgal (Imgur’s Chief Operating Officer) said in a blog post:
“We apologize that this breach occurred and the inconvenience it has caused you.”
Imgur was “still investigating” but its former encryption method – a hashing algorithm – may have been “cracked with brute force.”
“The company, based in California, plans to disclose the data breach to the state’s attorney general, law enforcement, and other relevant government agencies.”
Troy Hunt tweeted on Twitter:
“This is really where we’re at now: people recognize that data breaches are the new normal and they’re judging organizations not on the fact that they’ve had one but on how they’ve handled it when it’s happened.”
Imgur said it has changed its password hashing to bcrypt, a much stronger password scrambler, last year. But anyone who uses the same Imgur email address and password combination on other sites should also change those passwords.