Image hosting site Imgur, which later metamorphosed into a ‘meme haven’ for social media users, has apparently been subjected to a massive data breach. The hack which occurred in 2014 stole data from 1.7 million users, and Imgur has just discovered the incident.
The incident came to fore after ‘Have I been Pwned’ founder, Troy Hunt notified the company. “He (Troy Hunt) believed he was sent data that included information of Imgur users. Our Chief Operating Officer received the email late night on November 23rd and immediately corresponded with the researcher to learn more about the potential breach. He simultaneously notified Imgur’s Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users,” Imgur stated in a blog spot.
The data is believed to be a fraction of Imgur’s user base which usually sees the traffic of 150 million monthly users. The affected data may only include email addresses and passwords of the users as the site never gathered personally-identifying information (PII) like real names, addresses or phone numbers of the users.
The site is still investigating the incident, “We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year,”
“I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays,” said Hunt in an interview with ZDNet. “That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.”
According to him, 60 percent of email addresses were already in Have I Been Pwned’s database.