Imgur says 1.7M emails and passwords were breached in 2014 hack

Image-hosting site turned meme social network, Imgur, is the latest tech service to ‘fess up to a security breach. In a blog post Friday it revealed that hackers had compromised its systems in 2014, with ~1.7M emails and passwords affected.

No additional information was apparently compromised in the breach.

“Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII,” it emphasizes.

While the hack occurred three years ago, Imgur says it only came to light on November 23 — when it was contacted by security researcher, Troy Hunt, who had been sent the stolen data as a consequence of running the haveibeenpwned data breach notification service.

Hunt has since tweeted to confirm that the majority of the stolen credentials were already in his  database (although he appears to have tweeted the wrong date for the Imgur hack):

Imgur hasn’t confirmed how the breach occurred as yet — saying it’s still investigating. Although it does note that in 2014 it was using an older hashing algorithm (SHA-256) for encrypting passwords in its database, and suggests the hackers could thus have decrypted the stolen credentials using a brute force attack.

“We updated our algorithm to the new bcrypt algorithm last year,” it adds.

Sad to say, data breach disclosures are an all too regular occurrence these days.

And a breach affecting 1.7M users appears almost modest in comparison beside some of the recently disclosed mega-hacks.

Principally, Yahoo’s massive hacks in 2013 and 2014 — which apparently affected all 3BN of its accounts.

But also just last week Uber disclosed a huge hack that compromised the personal data of 57M Uber users and drivers.

What is notable here is the apparent speed of disclosure. So while Imgur says it only became aware of the hack on November 23, by the morning of November 24 it had begun notifying impacted users (via their registered email address), and forcing password resets.

It also made a public disclosure of the breach via its blog post on November 24, at 4PM PST.

Compare that with Uber — which kept quiet about a massive October 2016 breach for the best part of a year, having learned that hackers stole the user data in November 2016.

In Uber’s case, the compromised information also included PII (names, addresses, phone numbers and around 600,000 US drivers’ licenses). So the associated risks to users — such as ID theft — is greater.

Another thing to note is that new rules incoming in the Europe Union will set a data breach disclosure standard of 72 hours from May next year. And under the GDPR data controllers will also face far stiffer penalties for failing to comply.

So, for example, under Europe’s incoming rules the recent breach disclosed by Equifax — affecting ~143M consumers, including some in Europe, and including names, addresses, dates of birth, social security numbers, drivers’ licenses and (for a subset) credit card info — could have resulted in a fine as high as $68.5M, based off of projections for the company’s full year revenue for 2017.

Whereas companies that disclose breaches promptly — as Imgur appears to have done here — will be at far lower risk of being slapped with large fines under GDPR, if they are also handling European citizens’ data.

So perhaps, as the financial risks of storing and handling user data step up, we’ll start to see more data breaches disclosed promptly. While, over time, EU lawmakers’ hope is there will be fewer major breaches occurring as security and data protection gets given far more executive priority.