The company told News that hackers stole 1.7 million email addresses and passwords, hashed with the SHA-256 algorithm, which has been carried over in recent years in favor of stronger password scramblers.
Imgur said the violation didn’t include private information because the site has “never asked” for real names, addresses, or phone numbers.
The stolen accounts serve a fraction of Imgur’s 150 million recurrent users.
The hack went ignored for four years until the stolen data was sent to Troy Hunt, who runs data breach information service Have I Been Pwned. Hunt notified the company on Thursday, a US national holiday observing Thanksgiving when most companies are closed.
A day later, the organization started resetting the passwords of affected accounts and published a public acknowledgment alerting users of the breach.
Hunt praised the company’s applications for its quick response.
“I disclosed this event to Imgur late in the day in the midst of the US Thanksgiving holidays,” said Hunt. “That they could pick this up quickly, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is unquestionably exemplary.”
It’s the latest actual hack from a long list of companies that have this year announced security breaches dating back to the turn of the decade, including Disqus, LinkedIn, MySpace, and Yahoo.
Imgur’s chief operating officer Roy Sehgal said the company was “still studying” how the account information was compromised but said that site security had changed since the breach.
The company said it has developed its password hashing to bcrypt, a much stronger password scrambler, last year. But anyone who uses the same Imgur email address and identification combination on other sites should also change those passwords.
Sehgal also said in an email that the business, based in California, plans to disclose the data breach to the state’s attorney general, law enforcement, and other relevant regulatory agencies.
Take your time to comment on this article.
