It may be hard to believe that back in 2009, Alan Schaaf started what was initially a side project that would go on to become one of the most popular image sharing sites on the web, Imgur. An early indication of his creation’s success was the reception it garnered on Reddit, having attracted more than 1,600 upvotes but now it has come to light that the company has suffered a data breach dating back several years.
After the exfiltrated data was sent to Troy Hunt, the owner of “Have I been pwned?”, Hunt notified Imgur late on November 23rd. Imgur’s Chief Operating Officer then alerted the company’s CEO and the Vice President of Engineering to the issue prior to the commencement of data validation. By early Friday morning, the image sharing site had determined that around 1.7 million user accounts had been impacted by the data breach that had originally taken place back in 2014 and began notifying affected users in addition to enforcing a change of password.
While the stolen data did not include any personally identifiable information, such as names, addresses. and phone numbers, as Imgur does not request that information, it did include email addresses and passwords. This, of course, puts users who re-use their credentials at higher risk of having their accounts at other websites hijacked.
Unfortunately, for some users, Have I been pwned? noted that:
“Although imgur stored passwords as SHA-256 hashes, the data in the breach contained plain text passwords suggesting that many of the original hashes had been cracked.”
Investigations into how the breach took place are ongoing but the company plans to disclose the incident to all relevant government agencies in addition to law enforcement and the state’s attorney general. However, Imgur has advised that it had rolled over to using bcrypt for password hashing in 2016 which should provide a more robust defense from that point in time onwards.
The news comes shortly after Mozilla announced that it would be enhancing its Firefox Quantum browser with the ability to alert users to websites that have suffered a data breach.