Imgur recently announced that 1.7 million user accounts might have been compromised. That may sound bad but it’s not the worst of it. According to the information that the company received from a security researcher, the breach occurred in 2014 meaning affected users have been exposed for at least three years.

Imgur’s Chief Operating Officer Roy Sehgal stated that he received an e-mail late Thanksgiving evening from an unnamed data breach expert informing him of a suspected intrusion that may have occurred back in 2014. The researcher said he had received information that contained what he believed was Imgur usernames and passwords.

Sehgal immediately notified Imgur CEO Alan Schaaf and VP of Engineering Ron Benson of the news. Benson arranged to securely retrieve the suspected data so that he could validate that it was Imgur user credentials. After examination of the information, officials confirmed that close to 1.7 million Imgur user accounts were exposed and that the breach occurred in 2014.

“The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (PII), so the information that was compromised did NOT include such PII.”

The company is still investigating how the intrusion occurred. Sehgal suggested that attackers may have used brute force to crack the SHA-256 encryption that it used for passwords back then. As of 2016, the company has been using the new bcrypt algorithm to protect passwords.

Imgur has already begun sending out e-mails to impacted users, informing them of the breach and advising them to change their passwords. It would also be prudent to change passwords on any accounts outside of Imgur where users may have used the same username/password combination.