Imgur warns its users about the data breach
On November 23 2017, Imgur received an unexpected email message from a security researcher who warned the company about the data breach. According to him, he was sent a copy of stolen email addresses and passwords that he believes tot belong to users of the famous image sharing company. The Vice President of Engineering has immediately started to validate the data.
Shortly after, Imgur confirmed about the security breach that happened in 2014 and involved approximately 1.7 million Imgur users. In other words, it is almost 1.13% of the total 150 million app users. Luckily, the company has never asked users to share personal information. Likewise, only email addresses and passwords were compromised during the breach.
According to the official report, the Chief Operating Officer, Roy Sehgal, states the following:
Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.
However, since some users tend to use the same passwords in multiple websites, the company is asking them to change their login information not only in Imgur accounts but other pages as well.
Hackers managed to hash passwords with SHA-256 algorithm
While there is still no reliable information how the incident managed to be unnoticed for almost three years, IT experts believe that their data encryption was cracked with brute force. The company was using an older SHA-256 algorithm which is easily breakable.
The COO says:
We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time.
Fortunately, last year Imgur improved their encryption technique to a much stronger bcrypt algorithm to protect their users from such attacks.
Imgur takes further measures to protect users
On November 24, the employees started notifying users whose data was compromised via registered email addresses. It only took 25 hours for Imgur to perform password resets and public disclosure. This is a highly respectable decision, especially after hearing such news when the well-known Uber company paid a $100 000 ransom for the criminals in 2016 to remain silent about the security breach.
In the official response, the company kindly asks to do the following:
We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently.
Imgur has also apologized for this incident and promised to make an internal security review of their system and processes. People who have any further questions are encouraged to contact the company via firstname.lastname@example.org email address.