Imgur Admits Breach of 1.7 Million Credentials in 2014 Hack

Security Vulnerability cyberattack

Image hosting service Imgur has confessed to a security breach to reveal a 2014 hack of 1.7 million emails and passwords.

In a blog post, Imgur has revealed details of an ongoing investigation that has confirmed the theft of approximately 1.7 million Imgur accounts in 2014.

The company wrote:

The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”_, so the information that was compromised did NOT include such PII.

The company says it has “always” encrypted users’ passwords on its databases before speculating that the hacker(s) may have cracked it with brute force from an older hashing algorithm (SHA-256) used at the time. “We updated our algorithm to the new bcrypt algorithm last year,” Imgur added, without being certain of the factors behind the breach.

The hack only came to light on November 3 after the company was contacted by security researcher Troy Hunt, the operator of data breach notification website haveibeenpwned.

While substantial, the breach of 1.7 million users is relatively meagre compared to the mega-breaches that have surfaced this year. Yahoo’s hacks in 2013 and 2014 have now been revealed to affect all 3 billion user accounts in what is cumulatively the biggest data breach ever.

Last week, ride hailing giant Uber disclosed a major hack that compromised the personal details of some 57 million Uber users and drivers. Uber knew about the hack for an entire year and even paid two hackers $100,000 for the breached data, essentially buying the stolen information and their silence. The breached information included the personal details of 57 million Uber users around the world including names, email addresses and phone numbers. A further 600,000 drivers’ details and license numbers were also stolen from the United States. New York State Attorney General Eric Schneiderman has since opened an investigation into the company’s cover-up of the breach.

Image credit: Pixabay.