Imgur, one of the most popular websites worldwide, has confirmed that hackers got away with email addresses and passwords in 2014. The company estimates that around 1.7 million email addresses and passwords were stolen. Still, this is only a small percentage of Imgur’s monthly users, totalling 150 million.
The passwords were scrambled with SHA-256 algorithm, which is no longer used in recent years, as better and stronger options are available. Luckily, the cybersecurity breach did not involve names, addresses, or phone numbers, as the website never collected these in the first place.
Soon after learning of the breach, within 24 hours, the company alerted the affected account owners and enforced a mandatory password reset on those accounts. Troy Hunt, the owner of the Have I Been Pwned website, complimented the company on its exemplary fast response.
Roy Sehgal, chief operating officer at Imgur, reports that the company is still investigating the whereabouts of the cybersecurity breach. According to him, their security measures have improved since then.
Imgur now uses bcrypt to protect stored passwords, which is a much stronger scrambler. Still, it is advised that anyone who uses the same password on other websites should change these immediately, just as a preventative measure.
Sehgal also revealed that the company is planning to disclose the details of the breach to the state’s attorney general and other local authorities. Hunt said that 60 per cent of stolen email addresses were already present in the Have I Been Pwned database, consisting of more than 4.8 billion records.