Welp, 1.7M users affected by 2014 Imgur breach
1.7M emails and passwords effected. Ouch.
Image-hosting site, Imgur, released a post on Friday explaining that hackers compromised their systems in 2014, but only learned about it recently. According to Troy Hunt, a security researcher, the compromise happened in 2014. He was sent information as a result of running the haveibeenpwned data breach notification service.
Imgur hasn't said how the breach happened, however in 2014, they were using an older algorithm system for encrypting passwords, and that might have been the reason. They updated their system last year.
Imgur writes in a blog post:
On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.
We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.
It's not new to see reports of data breaches, but Imgur was rather fast in their response. They were alerted of the breach on November 23, and on November 24 they were already alerting users. The company then went to make a public announcement via their blog post on November 24 as well. Compared to other companies that have been breached, like Uber, a 24-hour turn around is impressive.
This could be due to incoming regulations set by the European Union that will set a 72-hour clock on disclosures of data breaches. If the 72-hour mark is passed, then companies will be slapped with massive fines.
Regardless of if Imgur was doing the right thing by alerting users quickly, or doing it to save their own asses, maybe it will set a tone in the industry.