Nov. 26 (UPI) — Photo sharing website Imgur confirmed 1.7 million email addresses and passwords were stolen during a breach in 2014.
Imgur released a blog post on Friday notifying users of the breach after attackers possibly cracked the website’s password encryption algorithm.
“While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response,” the post stated.
Troy Hunt, who runs the data breach notification site Have I Been Pwned, notified Imgur of the breach on Thursday after he was sent data that included the information of Imgur users.
“He simultaneously notified Imgur’s Founder/CEO and Vice President of Engineering. Our Vice President of Engineering then arranged to securely receive the data from the researcher and began working to validate that the data belonged to Imgur users,” Imgur said.
After being notified of the breach the company began resetting passwords of the affected accounts.
Imgur said the information stolen in the breach didn’t include personally-identifying information such as real names, addresses or phone numbers, as the site had never asked users to provide such information.
While noting the incident is still under investigation, Imgur Chief Operating Officer Roy Sehgal said attackers may have cracked the site’s password encryption through “brute force” due to the older SHA-256 algorithm, which has since been updated.
Imgur encouraged users to use different email and password combinations for all of their online accounts and to reset passwords that may have been affected by the breach.
Hunt praised Imgur for quickly responding to the news of the breach despite learning of it during a holiday.
“I disclosed this incident to Imgur late in the day in the midst of the U.S. Thanksgiving holidays,” Hunt said. “That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary.”