Image sharing site Imgur revealed that it suffered a major data breach in 2014 exposing email addresses and passwords of approximately 1.7 million users.
Imgur reported they received an email from security researcher Troy Hunt, who runs a data breach notification service Have I Been Pwned. The researcher believed he was sent data that included information of Imgur users. Imgur was notified of the breach on Thanksgiving, a US national holiday when most businesses are closed.
In a blog post on Friday, the company said it was “still actively investigating the incident,” but it had determined that its database “may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time.” Imgur says it subsequently updated its database to use the newer bcrypt algorithm, which is significantly harder to break, in 2016.
Imgur began notifying affected users via their registered email addresses asking users to immediately update their passwords. The company also suggested users to use a different combination of email addresses and passwords for every site and application.
Imgur's chief operating officer Roy Sehgal said that the company, based in California, also plans to disclose the data breach to the state's attorney general, law enforcement, and other relevant government agencies.