Popular image sharing community Imgur said last week it was the victim of a data breach in 2014 that exposed 1.7 million user accounts. In a breach notice posted to its website last Friday, the company said users are being notified via email that they must update their passwords immediately.
“On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users,” according to a blog post by Roy Sehgal, chief operating officer for Imgur.
Sehgal said compromised account information included only email addresses and passwords. “Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information,” he said.
> On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: <https://t.co/qElAetGVIc> > > — Imgur (@imgur) November 25, 2017
“I can say that 1.7 million is a small percentage of our total user accounts today,” Sehgal told Threatpost. He said Imgur does not disclose the number of user accounts, but said Imgur reaches 250 million users a month.
Password data stored with Imgur is encrypted, according to the company. However, Sehgal said at the time of the breach the company used the older SHA-256 hashing algorithm, likely increasing the odds the passwords had been cracked via a brute force attack. Since 2014, Imgur has updated how it encrypts user PII and today uses Bcrypt, a password hashing function based on the Blowfish cipher.
Researcher Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, is credited for tipping Imgur off to the breach. Hunt, in a tweet, lauded Imgur for its speedy handling of the breach notification. According to Sehgal, Hunt sent Imgur “flat text file with email address and passwords.”
“I want to recognize @imgur‘s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilizing people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!,” Hunt wrote via Twitter.
> I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! <https://t.co/jV8MDscXLT> > > — Troy Hunt (@troyhunt) November 25, 2017
Hunt said out that of the 1.7 million passwords and email address pairs he reported to Imgur last week, 60 percent of the passwords and email addresses were already in the HaveIBeenPwned repository.
“Thank you for disclosing this so quickly! Better than a lot of other companies that would rather try to hide and deny it. Thank you for the openness and honesty. :),” wrote one Twitter user that goes by the handle @JaykeBird who was replying to Imgur’s quick disclosure.
> Thank you for disclosing this so quickly! Better than a lot of other companies that would rather try to hide and deny it. Thank you for the openness and honesty. 🙂 > > — Not a time traveler, alien, nor esper (Jayke H.) (@JaykeBird) November 25, 2017
The breach is just the latest in a long string of breach revelations this year. In September, Equifax disclosed a data breach affecting upwards to 143 million Americans. Last week, ride-hailing service Uber Technologies revealed that the company suffered a breach of 57 million Uber user accounts in 2016.
Unlike Imgur, Uber received heavy criticism for not disclosing more speedily a 2016 breach of 57 million Uber user accounts that included the names and driver’s license numbers of around 600,000 drivers in the US.