Imgur, among the world’s most visited websites, has confirmed a hack dating back to 2014, the company told the Pro Tribune
Imgur said the breach didn’t consist of private information because the website has “never asked” for real names, addresses, or telephone numbers.
The hack went unnoticed for four years before the stolen information was delivered to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the business on Thursday, a US national holiday celebrating Thanksgiving, when most businesses are closed.
A day later, the business started resetting the passwords of affected accounts, and published a public disclosure alerting users of the violation.
Hunt praised the organization’s efforts for its quick reaction.
“I disclosed this incident to Imgur late in the day in the middle of the US Thanksgiving holidays,” explained Hunt. “They picked this up immediately, protected impacted accounts, notified people and prepared public statements in under 24 hours it is absolutely exemplary.”
This is the newest historical hack from a lengthy list of companies that have this year demonstrated security breaches dating back to the turn of this decade, including Disqus, LinkedIn, MySpace, and Yahoo.
Imgur’s Chief operating officer Roy Sehgal said the company was “still investigating” the way the account data was compromised, but said that site security had improved since the breach.
The business said it has shifted its password hashing into bcrypt, a much more powerful password scrambler, last year. But anyone who uses the same Imgur email address and password combination on different websites also needs to change those passwords.
Sehgal also stated in an email that the company, based in California, intends to disclose the information breach to the nation’s attorney general, law enforcement, and other applicable government agencies.
According to Hunt, 60 percent of email addresses were currently in Have I Been Pwned’s database of over 4.8 billion records.