The stolen data was sent to security researcher Troy Hunt, operator of the Have I Been Pwned data breach alert website. Hunt notified Imgur on November 23, explaining he had been handed a dataset that suggested Imgur had been compromised. The company said its Chief Operating Officer “immediately” engaged with Hunt after receiving the notice.
Over the next few hours, Imgur’s CEO and Vice President of Engineering were informed of the incident. The company verified Hunt’s authenticity and arranged to collect the data from him. Technical teams began to verify that the stolen credentials are from genuine Imgur user accounts. On November 24, Imgur made a public statement confirming the breach took place in 2014 and impacted around 1.7 million accounts.
In a tweet, Hunt described Imgur’s response to the incident as “exemplary.” In less than 26 hours, Imgur managed to mobilise staff back from Thanksgiving, obtain the data from Hunt and verify it as being part of a genuine breach. The company has already begun resetting the passwords of affected users. People whose email address is contained in the dataset will be required to set a new password.
READ NEXT: Firefox to issue warnings when a website has been hacked
Imgur said it’s still unsure how its database was compromised. The company said it may have been a “brute force” attack against its older account information infrastructure. In 2014, Imgur encrypted passwords using the SHA-256 algorithm. The attackers may have successfully cracked the encryption because the algorithm is weaker than newer alternatives. Imgur started using bcrypt instead of SHA-256 earlier this year.
“We take protection of your information very seriously and will be conducting an internal security review of our system and processes,” said Imgur. “We apologize that this breach occurred and the inconvenience it has caused you.”
Imgur users who use the same password on other sites should update their credentials across all the services with the same credentials. The breach follows a string of similar historical security incidents disclosed this year, including attacks against LinkedIn, MySpace and Uber. The data should be searchable in Have I Been Pwned once Imgur’s completed its investigation.
