.GIF garage Imgur plugs 1.7 million-subscriber creds breach
Phew! Nothing but emails and hashed passwords leaked
The world's self-described “most awesome” collection of images, Imgur, has confessed to leaking 1.7 million user records in 2014.
The company was advised of the breach by HaveIBeenPwned administrator Troy Hunt on November 23, 2017.
Imgur's chief operating officer Roy Sehgal posted confirmation of the breach. Hunt took to Twitter to say that notice came 25 hours after he notified the company it had a problem.
I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT— Troy Hunt (@troyhunt) November 25, 2017
This is really where we're at now: people recognise that data breaches are the new normal and they're judging organisations not on the fact that they've had one, but on how they've handled it when its happened https://t.co/zV5YLa8hKQ— Troy Hunt (@troyhunt) November 25, 2017
Hunt also noted that 60 per cent of the email addresses he examined could already in the HaveIBeenPwned database after being revealed in previous breaches of other sites.
Imgur's notice said users' registered email addresses and hashed passwords were leaked, but no personally-identifying information was included. Here's an excerpt from the company's statement:
“Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”
The only risk to passwords is that until 2016 Ingur used the SHA-256 algorithm to encrypt passwords, and this is susceptible to brute-force attacks. The company has therefore required affected users to change their passwords.
Seghal said the site's investigation into how the breach occurred is ongoing. ®