It’s now clear that 2017 isn’t a good year especially for enterprises and organizations which have experienced security challenges. But it is a nightmare when companies realize in 2017 that they were hacked three years ago. An example is Imgur an image hosting and sharing platform which realized a data breach that affected more than 1.7million users accounts.
The data breach was discovered by Troy Hunt, a security researcher and notified Imgur on November 23rd. The researcher, who runs data breach notification service Have I Been Pwned received data which he believed that it belonged to Imgur. Imgur confirmed the breach, and it corresponded with the researcher to learn more about other potential vulnerability. Luckily, Imgur has responded swiftly, and they are ensuring right security measures are being implemented.
How Did the Breach Occur?
Imgur is still investigating how the data breach happened. But Imgur insisted that it was through a brute force attack as they used (till 2016) the older SHA-256 hashing algorithm to encrypt their database. So possible conclusion is that the hackers cracked the algorithm and got to the data. Imgur is now using bcrypt hashing algorithm which they implemented last year; it’s a much stronger password hashing algorithm than the SHA-256.
What Was breached?
Although the data impacted more than 1.7million accounts, it’s not really clear what attackers could do with it. In a statement issued by Imgur, the compromised information did not include information that could put users at risk, it’s a good thing that Imgur does not collect personally identifying information (PII) such as addresses, phone numbers, real names and other personal data.
What’s the Next?
After the notification from Hunt, Imgur started to notify affected users on November 24. Imgur also required affected users to change their passwords and published a public disclosure. According to Mr. Hunt, he was really impressed by Imgur’s swift response considering the timeline he informed them. “I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays,” said Hunt. In a tweet, Hunt also wrote, “This is really where we’re at now: people recognize that data breaches are the new normal and they’re judging organizations not on the fact that they’ve had one but on how they’ve handled it when it’s happened.”
What to Do?
If you have an Imgur account or rather an online account, it’s a necessity that you change your password immediately. Since online threats are forever growing, use a different combination for your emails, usernames, and strong passwords; passwords should be at least with a minimum of 12 characters. In the meantime after changing your passwords, wait for Imgur to communicate for the next resolution. On their blog post, Imgur states that “will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you. If you have questions, we encourage you to contact us at firstname.lastname@example.org.”