2017's unending parade of major companies and web destinations suffering through major breaches of user information has not slowed down. Image-sharing site Imgur revealed it had been hacked several years ago this week, with the details of approximately 1.7 million accounts lost in 2014 to hackers who have not been identified.
Per ZDNet, this hack may be less of a reason for concern for many of the users involved as Imgur only collects email addresses and passwords, rather than any other personally identifiable information like physical addresses, phone numbers or credit card data. In a blog post on Friday, the company said it was “still actively investigating the incident,” but it had determined that its database “may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time.”
Imgur says it subsequently updated his database to use the the newer bcrypt algorithm, which is significantly harder to break, in 2016.
In particular, users who use the same password on multiple sites (which is probably most people) or those who uploaded personally identifiable content to Imgur—like, say, anyone who may have uploaded nude photos of themselves for distribution on Reddit—should be interested in changing their passwords. Still, this is much less devastating than some of the very serious hacks to occur recently, like the leak of over 145 million Americans’ personal information from credit rating agency Equifax, or a major Uber data breach that the company covered up by allegedly paying the hackers $100,000.
The breach was originally discovered by data researcher Troy Hunt, who runs the user-notification service Have I Been Pwned; the majority of the passwords were already in his database of compromised accounts.
Hunt told ZDNet that he had been sent the stolen data by another source and notified the company on Thursday. By Friday, Imgur had already publicly disclosed the breach.
“I disclosed this incident to Imgur late in the day in the midst of the U.S. Thanksgiving holidays,” Hunt told the site. “That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.” [ZDNet]