After the exfiltrated data was sent to Troy Hunt, the owner of "Have I been pwned?", Hunt notified Imgur late on November 23rd. Imgur's Chief Operating Officer then alerted the company's CEO and the Vice President of Engineering to the issue prior to the commencement of data validation. By early Friday morning, the image sharing site had determined that around 1.7 million user accounts had been impacted by the data breach that had originally taken place back in 2014 and began notifying affected users in addition to enforcing a change of password.
On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc
— Imgur (@imgur) November 25, 2017
While the stolen data did not include any personally identifiable information, such as names, addresses. and phone numbers, as Imgur does not request that information, it did include email addresses and passwords. This, of course, puts users who re-use their credentials at higher risk of having their accounts at other websites hijacked.
Unfortunately, for some users, Have I been pwned? noted that:
"Although imgur stored passwords as SHA-256 hashes, the data in the breach contained plain text passwords suggesting that many of the original hashes had been cracked."
Investigations into how the breach took place are ongoing but the company plans to disclose the incident to all relevant government agencies in addition to law enforcement and the state's attorney general. However, Imgur has advised that it had rolled over to using bcrypt for password hashing in 2016 which should provide a more robust defense from that point in time onwards.
Posted:
Related Forum: PC General Forum
Source: https://www.neowin.net/news/17-million-account-credentials-stolen-from-imgur-in-2014
"1.7 million account credentials stolen from Imgur in 2014" :: Login/Create an Account :: 4 comments