According to Imgur, on the 23rd November, a security expert got into contact with the company, informing them of a potential data breach that may have occurred in 2014. Imgur, taking this very seriously, contacted the researcher and obtained the leaked data in question. The Vice President of Engineering was then able to validate the data – confirming that it belonged to Imgur users.
Imgur’s CEO and COO were made aware of the situation and took action immediately – contacting all affected users via email and making it a requirement to change their password.
“We recommend that you use a different combination of email and password for every site and application. Please always use strong passwords and update them frequently”
The company have been very quick to react in regards to the breach and have encouraged users to contact them via email:
“We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you. If you have questions, we encourage you to contact us at firstname.lastname@example.org.”
It is still unclear how the breach took place undetected and how it occurred in the first place. Imgur suspect that the breach was achieved using brute force as they stated that “We have always encrypted your password in our database, but it may have been cracked with brute force”. They suspect the said method was used to gain access to the information, due to the fact that Imgur was using an older hashing algorithm ‘SHA-256’. Imgur has stated that they have since updated to the new ‘bcrypt algorithm’.
Luckily for the affected users, PII (Personally-Identifying-Information) is not something that Imgur asks for when you create an account with them and they never will do, according to the company’s Chief Operating Officer (COO), Roy Sehgal: “Imgur has never asked for real names, addresses, phone numbers or other [PII]”. Because PII was not involved, users do not have to worry about the compromised data directly identifying them as an individual.
The breached data contained emails and passwords only, Imgur claims:
“On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts.”
This just goes to show how easily breaches go undetected. Uber’s breach occurred undetected and now Imgur. There will be many more news stories to come, but you must ask yourself the question of whether or not you’ve been breached and how you would even know. To find out, call us on 0345 450 9393, opt1.
Read Imgur’s notice here: https://blog.imgur.com/2017/11/24/notice-of-data-breach/
Use our solution builder > Click here
Still hungry for more? Read more