Ride sharing app Uber shocked both employers and customers this month by revealing that hackers had successfully stolen identifying information from approximately 57 million users and 600,000 of their own drivers. More alarming was the fact that the hack had taken place nearly a year ago, but the company had paid its own team of hackers $100,000 to hide evidence of the incident. In the wake of that revelation, another popular web service has also revealed their own recently uncovered incident from the past, this time occurring nearly three years ago.
Imgur, a popular image hosting site, originally began as an offshoot of link aggregate and social commentary site reddit in 2009. Since then, the site has slowly grown its own dedicated user base, in-jokes, attention from celebrities like Olympic athlete Cody Miller, and even released a mobile app. Unfortunately for users, Imgur staff revealed that back in 2014, roughly 1.7 million user email addresses and passwords were stolen by an unknown group of hackers. Roy Sehgal, the Chief Operating Officer at Imgur, confirmed that the website did not have knowledge of the 2014 hack until this Thanksgiving and subsequently released the information publicly the following Friday.
While the investigation is still ongoing, it seems the company has some inkling into how the attack was accomplished. Imgur significantly upgraded its security and encryption back in 2016, but prior to that the site used a hashing algorithm that Sehgal believes would have been vulnerable to a brute force-style hack. Brute force hacks work by trying as many login credentials as possible until a match is discovered. The 2016 update to the site included a new bcrypt algorithm to replace the outdated hashing algorithm used to protect user information.
Imgur has already sent emails to the 1.7 million affected users requiring them to update their passwords. Likewise, the site is urging its entire user base to update login credentials, though they do not anticipate a second breach given their security updates in 2016. The company went on to stress that, since the website does not request users’ real names, phone numbers, street addresses, or other important issues, the impact of the hack should be relatively minor. With a total of 150 million users as of 2017, the site has grown significantly since the incident. Sehgal apologized for the late discovery of the breach and reassured users that the company would continue its internal review.