Only after a few days of Uber admitting last year’s data breach of 57 million customers, the popular image sharing site disclosed that it had suffered a major data breach in 2014 that compromised email addresses and passwords of 1.7 million user accounts.
In a blog post published on Friday, Imgur claimed that the company had been notified of a three-year-old data breach on November 23 when a security researcher emailed the company after being sent the stolen data.
Imgur Chief Operating Officer (COO) then alerted the company’s founder and the Vice President of Engineering to the issue before began working to validate that the data belonged to Imgur users.
After completing the data validation, the company confirmed Friday morning that the 2014 data breach impacted approximately 1.7 million Imgur user accounts (a small fraction of its 150 million user base) and that the compromised information included only email addresses and passwords.
Since Imgur has never asked for people’s real names, phone numbers, addresses, or any other personally-identifying information (PII), no other personal information was allegedly exposed in the data breach.
The company also said that the stolen passwords were scrambled with older SHA-256 hashing algorithm—which can be easily cracked using brute force attacks.
However, Imgur’s COO Roy Sehgal said the website had already moved from SHA-256 to much stronger bcrypt password scrambler last year.
“We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time,” the image sharing service said. “We updated our algorithm to the new bcrypt algorithm last year.”
The company has begun notifying affected users along with enforcing a password change.
Moreover, those using the same email address and password combination across multiple sites and applications are also advised to change those details as well.
To read the original article :