Online image sharing and hosting service Imgur was breached in 2014, resulting in the theft of roughly 1.7 million user email addresses and passwords, the company confirmed last Friday in an online notification.
Security researcher Troy Hunt, founder of the website “Have I been pwned?”, initially alerted Imgur management of the incident after he was sent data corresponding to a subset of the service provider's users. Account holders' real names, addresses, phone numbers and other personally identifiable information were not exposed, as the San Francisco-based company does not request such data. However, the passwords appeared to be successfully cracked, as they were written in plain text, Hunt reported via his website.
Imgur COO Roy Sehgal suggested in his company's security alert that the attackers likely deciphered the passwords by employing brute-force attacks – noting that at the time of their creation, the passwords relied on SHA-256, which is comparatively weaker to the bcrypt encryption algorithm that Imgur has used since 2016.
Imgur says it is still investigating how the account information was compromised. Although the data breach took place years ago, the company at least earned praise for its quick response once it became aware of the issue.
Imgur first learned of the incident on Thanksgiving, 23 November 2017, when Hunt provided the company with the stolen data, which the company quickly verified belonged to its user community. The next day, Imgur began notifying impacted users via email, requiring affected individuals to update their passwords.
In a small discrepancy, Hunt states on his website that the breach appears to have taken place in September 2013, as opposed to 2014, as Imgur claims on its website. However, via Twitter, Hunt told a commenter that this inconsistency is “relatively inconsequential,” noting that Imgur may have revised the date of attack that Hunt provided after further internal investigation.
“I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email… to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure,” Hunt said via Twitter in praise of the company.
"This is really where we're at now: people recognise that data breaches are the new normal, and they're judging organisations not on the fact that they've had one, but on how they've handled it when its happened," Hunt added.