Security

.GIF garage Imgur plugs 1.7 million-subscriber creds breach

Phew! Nothing but emails and hashed passwords leaked


The world's self-described “most awesome” collection of images, Imgur, has confessed to leaking 1.7 million user records in 2014.

The company was advised of the breach by HaveIBeenPwned administrator Troy Hunt on November 23, 2017.

Imgur's chief operating officer Roy Sehgal posted confirmation of the breach. Hunt took to Twitter to say that notice came 25 hours after he notified the company it had a problem.

Hunt also noted that 60 per cent of the email addresses he examined could already in the HaveIBeenPwned database after being revealed in previous breaches of other sites.

Imgur's notice said users' registered email addresses and hashed passwords were leaked, but no personally-identifying information was included. Here's an excerpt from the company's statement:

“Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”

The only risk to passwords is that until 2016 Ingur used the SHA-256 algorithm to encrypt passwords, and this is susceptible to brute-force attacks. The company has therefore required affected users to change their passwords.

Seghal said the site's investigation into how the breach occurred is ongoing. ®

Send us news
25 Comments

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

Serial extortionist of medical facilities pleads guilty to cybercrime charges

Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack

Akira ransomware crooks brag of swiping thousands of ID documents during break-in

Japan orders local giants LINE and NAVER to disentangle their tech stacks

Government mighty displeased about a shared Active Directory that led to a big data leak

Swiss cheese security? Play ransomware gang milks government of 65,000 files

Classified docs, readable passwords, and thousands of personal information nabbed in Xplain breach

US accuses Army vet cyber-Casanova of sharing Russia-Ukraine war secrets

Where better to expose confidential data than on a dating app?

American Express admits card data exposed and blames third party

Don't leave home without … IT security

Air National Guardsman Teixeira to admit he was Pentagon files leaker

Turns out bragging on Discord has unfortunate consequences

Cops visit school of 'wrong person's child,' mix up victims and suspects in epic data fail

Data watchdog reprimands police force for confusing 2 people with same name and birthday to disastrous results