Imgur says 1.7M emails and passwords had been breached in 2014 hack
Picture-hosting web site turned meme social community, Imgur, is the newest tech service to ‘fess as much as a safety breach. In a weblog publish Friday it revealed that hackers had compromised its methods in 2014, with ~1.7M emails and passwords affected.
No further info was apparently compromised within the breach.
“Imgur has by no means requested for actual names, addresses, telephone numbers, or different personally-identifying info (“PII”), so the knowledge that was compromised did NOT embrace such PII,” it emphasizes.
Whereas the hack occurred three years in the past, Imgur says it solely got here to mild on November 23 — when it was contacted by safety researcher, Troy Hunt, who had been despatched the stolen information as a consequence of working the haveibeenpwned information breach notification service.
Hunt has since tweeted to verify that almost all of the stolen credentials had been already in his database (though he seems to have tweeted the improper date for the Imgur hack):
Imgur hasn’t confirmed how the breach occurred as but — saying it’s nonetheless investigating. Though it does notice that in 2014 it was utilizing an older hashing algorithm (SHA-256) for encrypting passwords in its database, and suggests the hackers may thus have decrypted the stolen credentials utilizing a brute pressure assault.
“We up to date our algorithm to the brand new bcrypt algorithm final 12 months,” it provides.
Unhappy to say, information breach disclosures are an all too common prevalence lately.
And a breach affecting 1.7M customers seems virtually modest as compared beside a few of the lately disclosed mega-hacks.
Principally, Yahoo’s large hacks in 2013 and 2014 — which apparently affected all three billion of its accounts.
But additionally simply final week Uber disclosed an enormous hack that compromised the private information of 57M Uber customers and drivers.
What’s notable right here is the obvious pace of disclosure. So whereas Imgur says it solely grew to become conscious of the hack on November 23, by the morning of November 24 it had begun notifying impacted customers (by way of their registered electronic mail deal with), and forcing password resets.
It additionally made a public disclosure of the breach by way of its weblog publish on November 24, at 4PM PST.
Evaluate that with Uber — which saved quiet a couple of large October 2016 breach for the very best a part of a 12 months, having realized that hackers stole the consumer information in November 2016.
In Uber’s case, the compromised info additionally included PII (names, addresses, telephone numbers and round 600,000 US drivers’ licenses). So the related dangers to customers — comparable to ID theft — is larger.
One other factor to notice is that new guidelines incoming within the European Union will set a knowledge breach disclosure commonplace of 72 hours from Might subsequent 12 months. And underneath the GDPR information controllers will even face far stiffer penalties for failing to conform.
So, for instance, underneath Europe’s incoming guidelines the current breach disclosed by Equifax — affecting ~143M customers, together with some in Europe, and together with names, addresses, dates of beginning, Social Safety numbers, drivers’ licenses and (for a subset) bank card information — may have resulted in a nice as excessive as $68.5M, primarily based off of projections for the corporate’s full 12 months income for 2017.
Whereas corporations that disclose breaches promptly — as Imgur seems to have performed right here — shall be at far decrease danger of being slapped with massive fines underneath GDPR, if they’re additionally dealing with European residents’ information.
So maybe, because the monetary dangers of storing and dealing with consumer information step up, we’ll begin to see extra information breaches disclosed promptly. Whereas, over time, EU lawmakers’ hope is there shall be fewer main breaches occurring as safety and information safety will get given way more government precedence.
Author: Elis Paul
Elis Paul is a Blogger from Germany. He is a Software Engineer and currently doing M.Phil in Computer Science from the Technical University of Munich