Imgur is the latest company to announce a major data breach after the fact. Just days ago, Uber announced a breach that occurred last year and affected 57 million users. It was also revealed that Uber paid the hackers for the stolen data and told them to keep quiet. The Imgur data breach doesn’t affect nearly as many users as Uber’s but 1.7 million users is still a significant number. The company also revealed that this breach occurred in 2014 and they are just being notified about it. The information these hackers have obtained seems to be only email addresses and passwords.
On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.
On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users. Our Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur’s Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users.
Early morning on November 24th, we confirmed that approximately 1.7 million Imgur user accounts were compromised in 2014. The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.
We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.
The company has begun to notify those users whose accounts were impacted and requiring them to change passwords. Imgur also recommends that all users change their passwords straight away. If you have any questions about this data breach, the company encourages you to reach out to them at [email protected]