.GIF garage Imgur plugs 1.7 million-subscriber creds breach

Phew! Nothing but emails and hashed passwords leaked

The world's self-described “most awesome” collection of images, Imgur, has confessed to leaking 1.7 million user records in 2014.

The company was advised of the breach by HaveIBeenPwned administrator Troy Hunt on November 23, 2017.

Imgur's chief operating officer Roy Sehgal posted confirmation of the breach. Hunt took to Twitter to say that notice came 25 hours after he notified the company it had a problem.

Hunt also noted that 60 per cent of the email addresses he examined could already in the HaveIBeenPwned database after being revealed in previous breaches of other sites.

Imgur's notice said users' registered email addresses and hashed passwords were leaked, but no personally-identifying information was included. Here's an excerpt from the company's statement:

“Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”

The only risk to passwords is that until 2016 Ingur used the SHA-256 algorithm to encrypt passwords, and this is susceptible to brute-force attacks. The company has therefore required affected users to change their passwords.

Seghal said the site's investigation into how the breach occurred is ongoing. ®

Biting the hand that feeds IT © 1998–2019