Popular image-sharing site Imgur has revealed details of a data breach affecting a small percentage of its estimated 100 million monthly active users.
The firm’s COO, Roy Sehgal, confirmed that it was contacted by a researcher last Thursday about the breach of 1.7 million user accounts — which is said to have occurred back in 2014.
“The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (PII), so the information that was compromised did NOT include such PII,” he added.
“We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.”
Despite the breach, Imgur has been praised for its swift handling of the incident, especially as it was contacted on the US Thanksgiving holiday last Thursday.
Impacted users were contacted by email on Friday and required to update their passwords. Sehgal advised individuals to choose strong credentials and not to reuse the same log-ins across other sites.
Aussie researcher Troy Hunt, who contacted Imgur in the first instance, described the firm’s incident response as 'exemplary'.
It’s certainly a far cry from that of Uber, which infamously revealed last week that it had tried to cover up a breach of 57 million users’ details last year by paying the hackers $100,000 to delete the stolen data.
Hunt explained that 60% of the email addresses listed were already in his haveibeenpwned database, highlighting the fact that data breaches are now the new normal.
Imgur’s revelations come after big name thefts from other US tech firms including MySpace, Yahoo and LinkedIn.