The passwords were encrypted but may have been cracked using brute-force techniques, says Imgur’s chief operating officer
Popular image-sharing website Imgur said it has discovered a data breach that affected 1.7 million users, exposing their email addresses and decrypted passwords.
The breach came to light when Troy Hunt, an Australian security researcher who specialises in data breaches, received stolen data that appeared to list Imgur user credentials.
Hunt, who operates the Have I Been Pwned breach notification site, notified Imgur late on Thursday of last week – the Thanksgiving Day holiday in the US, where Imgur is located – and Imgur began validating the data.
After confirming the information did indeed belong to its users, Imgur said it began notifying users on Friday morning local time, or Friday evening GMT. The company disclosed the breach publicly later in the day.
The San Francisco-based firm, which has about 150 million users, said the breach seems to have occurred in 2014. The investigation is ongoing, and Imgur said Roy Sehgal, the company’s chief operating officer, said it wasn’t yet known how the data had been leaked.
“We are still investigating how the account information was compromised,” he wrote in a blog post.
Sehgal said Imgur encrypts users’ passwords, but those found in the leaked data may have been cracked using brute-force techniques.
At the time Imgur used the now-discredited SHA-256 encryption algorithm, which it updated to the stronger bcrypt in 2016.
While Imgur doesn’t ask for any user information other than an email address, the breach could nevertheless pose a serious risk to those involved due to the common practice of reusing passwords across different online services.
Previous data breaches have seen hackers subsequently take control of other accounts using those passwords – as when Twitter and Pinterest accounts belonging to Facebook’s Mark Zuckerberg were hacked in June 2016 with a password he had used on LinkedIn.
The LinkedIn credentials had been leaked in a 2012 breach that affected 117 million users, and were then put up for sale in May 2016.
At the time many other users also reported accounts being hacked using leaked LinkedIn credentials, including IBM computer security researcher Nick Bradley, who watched as an attacker logged into his TeamViewer remote desktop account and began trying to take over his computer while he was in the middle of a gaming session.
Dangers of password reuse
Security experts said this latest breach should remind users of the dangers of reusing passwords across multiple services.
“Reusing passwords is a recipe for disaster – opening opportunities to exploit shared credentials to break into other parts of your online life with a view to stealing identities, personal information, or simply making mischief,” said security analyst Graham Cluley in an advisory.
But he praised Imgur for retaining minimal data on its users and for its quick disclosure of the incident.
“Imgur’s response to being notified about the breach is excellent,” he wrote. “Despite it being the Thanksgiving holiday in America they responded to the report of the data breach and immediately began work protecting accounts.”
Imgur launched in 2009 as its founder’s side-project while he studied computer science at Ohio University, and quickly grew into one of the web’s largest image-sharing sites.
The company moved from Ohio to San Francisco in 2011.
Do you know all about security in 2017? Try our quiz!