Privacy News Imgur confirms email addresses & passwords stolen in 2014 hack

Flengo

Level 2
Thread author
Verified
Oct 19, 2017
52
Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014.
The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers.
Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers.
The stolen accounts represent a fraction of Imgur's 150 million monthly users.
The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed.
A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.
Hunt praised the company's efforts for its quick response.
"I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays," said Hunt. "That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."
It's the latest historical hack from a long list of companies that have this year revealed security breaches dating back to the turn of the decade, including Disqus, LinkedIn, MySpace, and Yahoo.
Imgur's chief operating officer Roy Sehgal said the company was "still investigating" how the account information was compromised, but said that site security had improved since the breach.
The company said it has changed its password hashing to bcrypt, a much stronger password scrambler, last year. But anyone who uses the same Imgur email address and password combination on other sites should also change those passwords.
Sehgal also said in an email that the company, based in California, plans to disclose the data breach to the state's attorney general, law enforcement, and other relevant government agencies.
According to Hunt, 60 percent of email addresses were already in Have I Been Pwned's database of more than 4.8 billion records.
Another day, another data breach... :rolleyes:
 
F

ForgottenSeer 19494

I'm a user since May 2014, and I don't remember if back then I was using a password manager... bad thing. I'm sure that I don't use the same password as back then anywhere. I wonder why they used SHA256 and not bcrypt since the beginning though. I haven't received a notification from Troy yet about the breach, let's hope I won't
 
  • Like
Reactions: upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Always reset your password/s in a case like this or any similar and minimize the risk of getting owned/pwned elsewhere. Better safe then sorry!
 
Last edited:
  • Like
Reactions: ForgottenSeer 19494

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top