Imgur, an image-sharing website which has around 150 million monthly users, has confirmed that 1.7 million email addresses and passwords were compromised in a 2014 breach that was only recently discovered.
According to Imgur Blog, on November 23 an email was sent to Imgur by a security researcher named Troy Hunt who frequently deals with data breaches. Troy Hunt, who runs the website Have I Been Pwned, is the one who received the stolen list of user accounts and passwords—60 percent of which already exists in his website's tracking database.
In an interview with ZDNet, Troy Hunt says, "I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays," said Hunt. That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."
However, the hack didn't include users' personal information because the site never gathered real names, addresses or phone numbers.
Roy Sehgal, chief operating officer at Imgur says, "We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year."
Imgur suggests their users create strong passwords and frequently update it, using unique combinations of users name and password for logging in to the website can make them more secure.
At the end of the report, Roy Shegal ensures that company is very much serious about the security of users and will be conducting an internal security review of their system and processes.