Imgur, the frequently visited online image sharing website was hacked back in 2014 when attackers stole around 1.7 million email addresses and passwords. Imgur posted on its blog that the passwords were protected with the SHA-256 algorithm and since the website does not ask for real names, addresses, phone numbers and other personal information, nothing other than email IDs and passwords were stolen.
Imgur reported they received an email from security researcher Troy Hunt, who runs a data breach notification service Have I Been Pwned. The researcher believed he was sent data that included information of Imgur users. Imgur was notified of the breach on Thanksgiving, a US national holiday when most businesses are closed.
Imgur made a public disclosure of the hack and began notifying affected users via their registered email addresses asking users to immediately update their passwords.
Imgur believes hackers used brute force to access the data as the site was using an outdated encryption algorithm at that time, which has since been updated. The stolen 1.7 million user data forms only a fraction of Imgur’s 150 million monthly users.
“We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year,” Imgur wrote in the blog.
Imgur has notified it will conduct an internal security review of their systems and processes and has apologised for the breach of personal data. The company also suggested users to use a different combination of email addresses and passwords for every site and application.