Popular image-sharing website Imgur issued a security warning confirming a hack dating back to 2014. The company stated that the hackers broke through the defences of the website to seal email addresses and passwords of about 1.7 million user accounts. The company clarified that it is still investigating on how it happened and will inform the users as quickly as possible about whatever it discovers in the investigation.
Imgur stated that a security researcher sent an email to the company on 23 November 2017 informing the company that he believes that he was sent information of Imgur users. The company COO received the email late night on 23 November and immediately replied back to the researcher to talk and learn more about the potential breach. COO informed the Company Founder/CEO, and Vice President of Engineering about the email and potential breach. VP of engineering securely received the data and by early morning of 24 November, the company confirmed that 1.7 million Imgur accounts ‘were compromised in 2014’.
The company clarified that it never asked for real names, addresses, phone numbers or any other personally-identifying information so such information was not compromised. It is not sure how the account information was compromised as it has always encrypted the passwords in the database. However, Imgur suspects that hackers cracked the older hashing algorithm SHA-256 with brute force attack. The company updated its encryption algorithm to the new 'bcrypt' algorithm last year.
As soon as the data was confirmed, the company started sending out emails to the users that were impacted by the breach via the email address that was registered in the system. It now required the users to reset their password and published a public disclosure at 4 PM.
The company stated that it will be conducting an internal security review of its system and processes and urged users to not use the same email ID and password for multiple websites. This comes days after Uber disclosed that it was breached last year. However, this case is completely different as here Imgur made it public as soon as it discovered about the breach instead of trying to cover the security breach.