November 27, 2017 // 10:27 a.m.
Image sharing site Imgur has warned users of a 'potential security breach' which took place back in 2014 and in which the email addresses and passwords of 1.7 million users were obtained by attackers unknown.
Founded in 2009 by then-Ohio University student Alan Schaaf as a place for users of social networking site Reddit to quickly upload pictures, Imgur has become one of the most popular image sharing sites around and has branched out into social networking functionality to boot. Popularity, though, brings with it targeted attacks, and the company has now warned its user base of a breach which took place in 2014 resulting in the theft of email addresses and passwords linked to 1.7 million then-active accounts.
'On the afternoon of November 23rd an email was sent to Imgur by a security researcher who frequently deals with data breaches [since confirmed as Troy Hunt, founder of breach notification site Have I Been Pwned],' writes Imgur in its announcement post. 'He believed he was sent data that included information of Imgur users. Our Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur's Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users.
'Early morning on November 24th we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information ("PII"), so the information that was compromised did NOT include such PII.'
While Imgur has confirmed that the passwords were hashed before being stored in the breached database the company has warned that in 2014 it was using the known-weak SHA-256 algorithm which leaves the passwords vulnerable to brute-force and dictionary-based attacks. 'We updated our algorithm to the new bcrypt algorithm last year,' the company has confirmed.
'We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you. If you have questions, we encourage you to contact us at firstname.lastname@example.org.'