Imgur Hack Exposes 1.7m Accounts: What You Need To Know
Another day, another security breach: Imgur has confirmed reports of a breach affected around 1.7 million users. While Imgur has a vast user base and that's a comparatively small chunk of it, that's still a whole lot of affected users, making this a hugely important issue for the company. Even though security breaches like this one seem all too common these days, there are a few things about this Imgur breach that make it stand out from the rest.
The first item of note is that Imgur was actually hacked way back in 2014. Up until this weekend, Imgur wasn't aware that a breach had actually happened. It didn't know of the problem until November 23, when Imgur was notified of the potential breach by security researcher and creator of Have I Been Pwned Troy Hunt.
Hunt was sent data relating to the breach and emailed the company on the afternoon of November 23, according to an Imgur blog post describing the situation. Imgur then launched an investigation into the breach and found that around 1.7 million users were involved, with their email addresses and passwords being compromised.
While Imgur says that it's still investigating the nature of the breach, it seems the hashing algorithm it used in 2014 may have been to blame. Imgur theorizes that the hacker may have been able to brute force algorithm SHA-256, which the company stopped using last year.
The second surprising thing about this whole breach is how quickly Imgur got to work on alerting users. Emails began going out to affected users on the morning of November 24, less than 24 hours after Hunt first brought attention to the breach. On Twitter, Hunt praised Imgur for taking quick action, noting that it was a mere 25 hours and 10 minutes between the time that he sent his initial email and the the time Imgur published a press release detailing the breach on its blog.
Even more impressive is the fact that this fast response was carried out over a holiday weekend, when many Imgur employees would be off work and with their families. That certainly isn't something most of us will be used to, as some companies seem to sit on this information and try to keep it quiet as long as possible.
If you had one of those Imgur emails land in your inbox, it's a good idea to change your password as soon as you can. As always, using unique logins for each of your online accounts and identities is the best way to limit your risk when it comes to security breaches like this, so if you haven't yet, it might be a good time to invest in a password manager like LastPass or 1Password. We'll see if Imgur has any more information to share about this breach soon enough, but for now, kudos to it for organizing such a fast response.