Imgur reported a 2014 data breach late Friday night confirming that hackers had managed to steal data of over 1.7 million accounts. Security researcher Troy Hunt had informed the popular image hosting website of the data breach last week ahead of Thanksgiving.
Unlike Uber that tried to cover up a 2016 data breach that affected over 57 million users by paying hackers to keep quiet about the incident, Imgur quickly responded to the data breach notification and took steps to address the issue. Since Uber's data breach also came to the front last week, many in the industry are comparing Imgur's quick response with Uber's unethical and probably illegal approach of keeping affected users in the dark.
"I want to recognise Imgur’s exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure," Hunt said.
Imgur security breach probably happened because of an older hashing algorithm
Imgur is yet another tech company suffering from a security breach that actually happened earlier but has only now come to the front. The company said that 1.7 millions emails and passwords are affected. No additional information is at risk because "Imgur has never asked for real names, addresses, phone numbers, or other personally identifying information (“PII”), so the information that was compromised did NOT include such PII."
The image hosting site that has now become more of a social network for memes said that it is investigating how the breach occurred, adding that it may be because of an older hashing algorithm.
We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.
Imgur's data breach follows major breaches that have affected LinkedIn, MySpace, Disqus, Uber, Equifax, Yahoo, and many other companies. The company is currently advising users to change their passwords.