Time to change your password: Imgur was hacked in 2014
While much of the US was celebrating Thanksgiving, social image hosting site Imgur was made aware of a security breach that took place back in 2014. Around 1.7 million user accounts were affected.
This is a relatively small percentage of Imgur users, and COO Roy Sehgal points out that the site has never asked for "personally-identifying information." Nevertheless, the company is contacting the owners of affected accounts, advising them to change their passwords.
Hackers managed to steal email addresses and passwords. This might be a concern for anyone who reuses passwords across multiple services, but the data was hashed with the SHA-256 algorithm. This method of protecting is, technically, breakable and Imgur has since switched to the bcrypt algorithm instead.
The matter was brought to Imgur's attention by security researcher Troy Hunt, as the company explains in a blog post about the incident:
On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users. Our Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur's Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users.
Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information ("PII"), so the information that was compromised did NOT include such PII.
Hunt was impressed by the speed with which Imgur acknowledged the matter, started an investigation, and went public. He tweeted:
I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT
— Troy Hunt (@troyhunt) November 25, 2017
If your account was included in the security breach, you should have received an email from Imgur telling you to change your password. It's worth noting Imgur's advice as well:
We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently.
The company is still conducting its investigation to discover just how the security breach occurred.