In a continuing trend of major websites admitting to large-scale security breaches, Imgur one of the internet’s largest photo-sharing website, stated that 1.7 million emails addresses and passwords were stolen in a hack dating back to 2014.
The company told ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers.
Imgur said the breach didn’t include personal information because the site has “never asked” for real names, addresses, or phone numbers.
The stolen accounts represent a fraction of Imgur’s 150 million monthly users.
The hack went quietly unnoticed for years before the stolen information was sent to cyber-security expert Troy Hunt who runs data breach notification service Have I Been Pwned? We spoke with Troy earlier this year about his site and the nature of these breaches. You can find the transcribed interview here.
Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed.
A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach. Hunt praised the company’s efforts for its quick response.
Imgur’s chief operating officer Roy Sehgal said the company was “still investigating” how the account information was compromised, but said that site security had improved since the breach.
The company said it has changed its password hashing to bcrypt, a much stronger password scrambler, last year. But anyone who uses the same Imgur email address and password combination on other sites should also change those passwords.
Sehgal also said in an email that the company, based in California, plans to disclose the data breach to the state’s attorney general, law enforcement, and other relevant government agencies.
Read the full story over at ZDNet.com