Imgur, the popular digital image repository, has confirmed that it had suffered a major data breach three years ago that resulted in the loss of e-mail addresses and passwords of 1.7 million users.
After being alerted about the breach by researcher Troy Hunt, Imgur said that hackers may have cracked its former encryption method with brute force.
On 23rd November, security researcher Troy Hunt, who owns the popular breach data website Haveibeenpwned?, contacted the Founder/CEO and Vice President of Engineering at Imgur and informed them that their customer database may have been compromised by a malicious actors.
Following their interaction, Imgur’s Vice President of Engineering conducted a detailed analysis of the information presented by Hunt, following which the company revealed, on 24th November, that their database has been breached in 2014 and that it had resulted in the loss of e-mail addresses and passwords of 1.7 million users.
‘The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII,’ wrote Roy Sehgal, Imgur’s Chief Operating Officer, in a blog post.
Sehgal added that even though the company always encrypted customers’ passwords on their database, hackers may have breached the older hashing algorithm (SHA-256) using a brute force attack. In 2016, the company stopped using the said algorithm and replaced it with a new encryption algorithm.
Imgur has notified all affected users about the breach via e-mail and has asked them to update their passwords at the earliest.
‘We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you,’ Sehgal added.
Following Imgur’s prompt and quick response after he highlighted the breach to company executives, Hunt said he was impressed with how seriously they treated the incident.
‘I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!,’ he tweeted.
This incident reminds us how companies that have not updated encryption algorithms to secure their customers’ personally identifiable information are placing such data at risk. Back in October, global news commenting software maker Disqus announced that hackers had successfully breached SHA-1 hashed passwords, usernames, and last login dates for as many as 17.5 million users!
Just like he appreciated Imgur’s prompt response to being informed about a breach, Troy Hunt also lauded Disqus for their ‘exemplary handling’ of the data breach. A number of other Twitter users also chipped in, stating that public disclosure of the breach within 24 hours was an unexpected one.
’23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected,’ Hunt wrote on Twitter.
‘Extremely rare to see any organization with millions of users react that quickly after a breach. Usually takes weeks for the “quick” ones,’ chipped in another user.
‘This is how you handle a breach…upfront and explained in basic terms. Way to go @disqus, now off to change my password ;-),’ added an affected user.