Imgur confirms 1.7 million user credentials have been compromised

Cal Jeffrey

TS Evangelist
Staff member

Imgur recently announced that 1.7 million user accounts might have been compromised. That may sound bad but it’s not the worst of it. According to the information that the company received from a security researcher, the breach occurred in 2014 meaning affected users have been exposed for at least three years.

Imgur’s Chief Operating Officer Roy Sehgal stated that he received an e-mail late Thanksgiving evening from an unnamed data breach expert informing him of a suspected intrusion that may have occurred back in 2014. The researcher said he had received information that contained what he believed was Imgur usernames and passwords.

Sehgal immediately notified Imgur CEO Alan Schaaf and VP of Engineering Ron Benson of the news. Benson arranged to securely retrieve the suspected data so that he could validate that it was Imgur user credentials. After examination of the information, officials confirmed that close to 1.7 million Imgur user accounts were exposed and that the breach occurred in 2014.

“The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (PII), so the information that was compromised did NOT include such PII.”

The company is still investigating how the intrusion occurred. Sehgal suggested that attackers may have used brute force to crack the SHA-256 encryption that it used for passwords back then. As of 2016, the company has been using the new bcrypt algorithm to protect passwords.

Imgur has already begun sending out e-mails to impacted users, informing them of the breach and advising them to change their passwords. It would also be prudent to change passwords on any accounts outside of Imgur where users may have used the same username/password combination.

Permalink to story.


Squid Surprise

TS Evangelist
What are the odds that they really didn't know that their security was breached and that they just hoped no one would ever find out....

Every company that has online login information should have someone (or many someones) responsible for checking the web to see if their databases have been compromised - it's really not that hard to have someone join a "quasi-legal" cracking site and be on the lookout for your companies' login/pw being dumped!


I'm not in favor of ever increasing laws, but if people can't behave sometimes the gov't needs to do it. All data breaches should be required to be reported, publicly and to the individuals involved.
@Squid Surprise is absolutely correct, companies, especially banks, do all they can to hide these breaches as knowledge of them damages their brand.