Imgur was recently notified that a potential data breach affecting 1.7 million accounts occurred on its servers back in 2014. Imgur’s internal investigation is ongoing, but the company said it wanted to alert its users as soon as possible.

Data Breach Notification


A security researcher contacted Imgur’s Chief Operating Officer (COO) about the data breach on November 23. The COO then notified the company’s CEO/founder, as well as the Vice President of Engineering. The VP of Engineering then set up more secure communications channels so they can more freely exchange data breach information. The VP also started validating the data to check and see if it belonged to Imgur users.

On the morning of November 24, the company confirmed that the data from 1.7 million accounts, including email addresses and passwords, was compromised. The compromised data didn’t include Personally Identifiable Information (PII) such as real names, addresses, and phone numbers, though, because Imgur doesn’t ask for such information from its users.

How It Happened


Imgur said that it doesn’t yet know how the data breach happened, but it has been encrypting passwords and hashing them with SHA-256. However, Imgur also seems to imply that the passwords weren’t salted, so brute-force decryption should be possible, unless the users had long and unique passwords (which is probably not the case for most users). Imgur started following the industry best practice to hash passwords with the “bcrypt” algorithm only last year.

Mitigations

Imgur started notifying its users about the data breach advising them to update their passwords on November 24. The company also told users to always use different combinations of email addresses and passwords so that when a data breach happens at one service provider, it doesn’t affect other online accounts, too.

One thing to note from this data breach is that PII couldn’t be obtained by the hackers, because there none existed. The European Union has been moving in a similar “privacy by design” direction lately, requiring companies to only hold the information their services need to function.

In Imgur’s case, only the email and a password was needed, so when the data breach happened, nothing more could be obtained. This could be a lesson for other companies--if they are serious about protecting user data, they may not want to collect too much information in the first place.