Imgur: Email addresses and passwords stolen from 1.7M accounts in 2014 hack

Imgur was hacked and the attacker made off with 1.7 million email addresses and passwords. But the hacker sat on the stolen data for years; it allegedly wasn’t until security researcher Troy Hunt received the data that Imgur even knew it was hacked back in 2014.

While it isn’t impressive that the company was hacked, Imgur’s response was “exemplary,” according to Hunt. Unlike Uber, which knew it was hacked in 2016 and payed hush money to the hackers to try and keep the hack a secret, Imgur confirmed that users’ data was stolen and disclosed the breach in a little more than one day. And the day the company was notified happened to be Thanksgiving, a day when most U.S. businesses are closed for the holiday.

The stolen Imgur data was sent to Hunt, who runs the data breach notification site Have I Been Pwned. Hunt notified Imgur on Thanksgiving, Nov. 23, and the company began validating that the data belonged to Imgur users. By the morning of Black Friday, Nov. 24, Imgur confirmed “that approximately 1.7 million Imgur user accounts were compromised in 2014.” Imgur tweeted about the breach on Friday, and its notice of the data breach was disclosed on the same day.

Imgur used the hashing algorithm SHA-256 at the time of the attack

Imgur noted that the breach included email addresses and passwords for about 1.7 million users. At the time of the breach, Imgur said it used the hashing algorithm SHA-256, which may have been cracked with brute force. Last year, Imgur moved to the bcrypt algorithm. Even though the hack occurred years ago, Imgur is “actively investigating the intrusion.”

The company said the stolen account information did not include users’ personally identifying information (PII), since “Imgur has never asked for real names, addresses, phone numbers, or other personally identifying information.”

Imgur contacted the 1.7 million users impacted in this breach via their registered email; those users are required to update their passwords.

Hunt said 60 percent of the “1.7 million records with email addresses and cracked passwords” from the Imgur hack were already listed in Have I Been Pwned.

Imgur Chief Operating Officer (COO) Roy Sehgal thanked Hunt for alerting the company to the breach.

Hunt praised Imgur for its quick action, saying he notified the company about the data breach on the Thanksgiving holiday, and 25 hours and 10 minutes later, Imgur notified the public about the breach.

I want to recognise @imgur‘s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT

— Troy Hunt (@troyhunt) November 25, 2017

Hunt added:

This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one, but on how they’ve handled it when its happened https://t.co/zV5YLa8hKQ

— Troy Hunt (@troyhunt) November 25, 2017

Any Imgur users who were reusing passwords back in 2014 should change the passwords for other sites, as that email address and password combo is out in the wild. Hopefully, those users have switched to using a password manager or now at least create strong, unique passwords for each site.

Imgur, which claims to have 150 million monthly users, said, “We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you.”

Sehgal told ZDNet that “the company, based in California, plans to disclose the data breach to the state’s attorney general, law enforcement, and other relevant government agencies.”