The popular image hosting service Imgur has been the victim of an attack that took data from around 1.7 million accounts. However, this incident did not happen recently. The attack took place in 2014. According to Imgur, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. Three years have been passed and it is still being investigated the intrusion.
On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc
— Imgur (@imgur) November 25, 2017
On the afternoon of November 23, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users. Imgur’s Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur’s Founder/CEO and Vice President of Engineering. Imgur’s Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users.
On next day early morning, they confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only user’s email addresses and passwords. Imgur never asked for names, addresses, phone numbers, or other personally-identifying information.
According to Imgur, the password in the database was encrypted but it may have been cracked due to the hash algorithm (SHA-256) used in 2014. November 24th from the morning, Imgur began notifying impacted users via their registered email address to change their password.
Chief operating officer Roy Sehga said, “We take the protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you.”