The online imagine hosting website Imgur is the latest in a long line of tech services to admit to a security breach on its site. The company revealed in a blog post that the personal data of its customers had been hacked in 2014, with an estimated $1.7 million email addressed and passwords being affected.
According to Imgur, no other personal information was compromised during the incident, with the post stating that “Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII”
Although the breach took place over three years ago, Imgur claims they have only recently been made aware of it when they were contacted by Troy Hunt who run the data breach notification service “haveibeenpwned.com”. Hunt has confirmed that most of the stolen details were found in his database.
Hunt praised the company’s quick response, saying that “I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays. That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.”
Imgur claims it’s still investigating the hack, and is yet to reveal any details about how it occurred. However, it has noted that in 2014 the site was using an older hashing algorithm for the encryption of passwords, which could be responsible for the breach as hackers could have decrypted the information. Imgur added that “We updated our algorithm to the new bcrypt algorithm last year”
The size of the breach is small in comparison to some recent high profile cases, including Yahoo’s 2013 and 2014 hacking incidents which affected an estimated 3 billion of its customers, as well as Ubers recent hack which is reported to have compromised the data of 57 million users and drivers.
Unlike Uber who have admitted it kept quiet about its data breach, Igmur also says that it notified its customers straight away after discovering the breach by notifying its users by email and resetting passwords on the 24th November – one day after it was reported to them. The site also publically announced the breach via a blog post on its website.
The company also confirmed that the breach didn’t include any personal information from its customers, including names, addresses or phone numbers, due to the face that this information isn’t asked for when registering with the site. It also pointed out that the stolen details account for a very small fraction of its 150 million monthly users.