Image sharing site has revealed it was hacked in 2014 and that the email addresses and passwords of 1.7 million user accounts were compromised.
“The compromised account information included only email addresses and passwords,” read a statement from Imgur’s chief operating officer, Roy Sehgal.
“Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information, so the information that was compromised did NOT include such PII.”
“We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time,” Imgur said.
“We updated our algorithm to the new bcrypt algorithm last year.”
“We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you,” the company added.
The company has said it is still investigating how the breach occurred and urged all users to update their passwords and avoid using the same password on multiple sites.
After notifying the company, Hunt praise its response in disclosing the hack:
“I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!” Troy tweeted.
“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one, but on how they’ve handled it when its happened.”
Hunt said that 60 percent of email addresses were already in the Have I Been Pwned database having been compromised in previous hacks.