Sign up to our newsletter
Image-hosting website Imgur discovered at the end of last week that hackers broke into its systems in 2014, and stole the account details of some 1.7 million registered users.
Imgur found out about the historic hack when HaveIBeenPwned‘s Troy Hunt contacted the company on Thursday 23 November, which was a national Thanksgiving holiday in the United States.
On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.
Despite the festivities, Imgur quickly responded to Hunt’s message, confirmed that the data did indeed include the login credentials of users, and the following day began the process of resetting affected users’ passwords.
In a blog post, Imgur confirmed that it had been breached and that email addresses and passwords had been exposed. The site doesn’t ask its users for any additional personal information, so that fortunately was certain not to have been at risk.
At the time of writing Imgur is still investigating how hackers might have been able to breach is security systems.
Imgur did confirm, however, that (at the apparent time of the breach in 2014) it was scrambling passwords with the SHA-256 algorithm – which in recent years has fallen from favour. Imgur says that in 2016 it switched over to the stronger bcrypt hashing algorithm.
Whether you are a registered user of Imgur or not, it has become all too obvious in recent years that it is essential that no-one should use the same password for multiple online services. Reusing passwords is a recipe for disaster – opening opportunities to exploit shared credentials to break into other parts of your online life with a view to stealing identities, personal information, or simply making mischief.
Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.
Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.
Secondly, Imgur’s response to being notified about the breach is excellent. Despite it being the Thanksgiving holiday in America they responded to the report of the data breach and immediately began work protecting accounts, and offered sensible advice on what affected users should do next.
Author Graham Cluley, We Live Security