Imgur said it suffered a major data breach in 2014 that compromised the email addresses and passwords of 1.7 million user accounts. The popular photo-sharing site was alerted by Troy Hunt, security expert and creator of the data breach notification website Have I Been Pwned, of the security breach on Thursday (23 November) which happened to be Thanksgiving – a US national holiday when most businesses are closed.
The company confirmed the breach a day later and published a public disclosure notifying users of the intrusion.
"The compromised account information included only email addresses and passwords," Imgur's chief operating officer, Roy Sehgal, said in a statement. "Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information, so the information that was compromised did NOT include such PII."
Imgur said they are still investigating how the data was compromised.
"We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time," Imgur said. "We updated our algorithm to the new bcrypt algorithm last year."
Imgur users have been asked to update their passwords and not use the same one across multiple sites and applications.
"We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you," the company said.
Hunt, however, praised the company for its swift response and disclosure of the breach.
"I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!" Troy tweeted. "This is really where we're at now: people recognise that data breaches are the new normal and they're judging organisations not on the fact that they've had one, but on how they've handled it when its happened."
Hunt noted that 60% of email addresses were already in Have I Been Pwned's database.
Disclosure of the breach comes as the latest in a series of security breaches that took place years ago that have only come to light in 2017. Other companies that revealed major breaches include Yahoo, LinkedIn, Disqus, MySpace and We Heart It.