A recently disclosed data breach affecting popular image-hosting website Imgur may have affected 1.7 million users. Although the breach occurred in 2014, only email addresses and passwords seem to have been affected, as the website does not require any other personal information from visitors.
As one of the world’s 50 largest websites, the Imgur boasts a staggering 150 million monthly active users, although in 2014 had an estimated 130 million. However, since the website does not require mandatory accounts to view its posted content, it likely has a lot fewer accounts than unique visitors.
“On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts,” according to Imgur’s blog post. “While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.”
The leaked passwords and email addresses are believed to have been stored as hashes using SHA256, which means they can be converted back to text with various online services using a huge database of strings to generate collisions for the exposed hashes. Imgur says it replaced SHA256 with the more secure bcrypt algorithm sometime last year, thwarting any future password guessing caused by a data breach.
“I want to recognise Imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure,” according to security expert Troy Hunt, who reported the breach.
Imgur has quickly taken measures to notify potentially affected users, as noted by the security researchers. The company also said it will conduct an internal security check to find out how the breach occurred and potentially figure out how to prevent similar incidents from occurring.