Imgur has discovered what it calls a "potential security breach" that happened three years ago. The breach allowed the attackers to make off with the emails and passwords of 1.7 million user accounts. Imgur says that it is still investigating the breach, but that it wanted to warn its users of the intrusion and tell people what it is doing as a result.
Imgur writes that last week it received an email from security researcher Troy Hunt about the breach. Imgur wrote, "Our Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur’s Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users."
Imgur writes that in the early morning of November 24 it confirmed that about 1.7 million user accounts were compromised back in 2014. "The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII," wrote Imgur in a blog post.
The company is still investigating how exactly the data was accessed by the hackers. It has always encrypted passwords in the database, but Imgur believes at this time that the hack may have been a brute force attack on an older SHA-256 hashing algorithm that was being used at the time. Imgur says that it changed to a new bcrypt algorithm last year.
The impacted users were notified starting on November 24 via their registered email addresses. All affected users were required to update their password. As for protecting your online accounts, Imgur has some suggestions, "We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently."
Imgur wrote, "We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you. If you have questions, we encourage you to contact us at firstname.lastname@example.org."