Imgur Realized That It Was Hacked In 2014, Compromising 1.7 Million Users

Image-sharing website Imgur said that 1.7 million email addresses and passwords were compromised in a 2014 breach.

Imgur learned about the years-old hack from Troy Hunt, who runs data breach notification service Have I Been Pwned.

Hunt believed that he was receiving data that included information of Imgur users.

He emailed Imgur's Chief Operating Officer Roy Sehgal, who quickly responded to learn more about the breach. He simultaneously notified Imgur’s founder/CEO and Vice President of Engineering, who then arranged to securely receive the data from Hunt and began working to validate that the data belonged to Imgur users.

The hack affected a fraction of Imgur's 150 million monthly users, and didn't include users' personal information because the site never gathered real names, addresses or phone numbers.

Imgur believes that an older password encryption system in use at the time of the hack allowed hackers to breach the system. The company said it used the hashing algorithm SHA-256 which may have been cracked with brute force. It was in 2016 that Imgur moved to the bcrypt algorithm.

Hunt praised the company's swift response to news of the hack.

"I disclosed this incident to Imgur late in the day in the midst of the U.S. Thanksgiving holidays," said Hunt. "That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."

Imgur contacted the 1.7 million users that were impacted in this breach through their registered email. Those users are required to update their passwords.

Hunt said that 60 percent of the "1.7 million records with email addresses and cracked passwords" from the Imgur hack were already listed in his Have I Been Pwned website.