Imgur says 1.7M emails and passwords have been breached in 2014 hack
Picture-hosting web site turned meme social community, Imgur, is the most recent tech service to ‘fess as much as a safety breach. In a weblog put up Friday it revealed that hackers had compromised its techniques in 2014, with ~1.7M emails and passwords affected.
No extra info was apparently compromised within the breach.
“Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the knowledge that was compromised did NOT embrace such PII,” it emphasizes.
Whereas the hack occurred three years in the past, Imgur says it solely got here to mild on November 23 — when it was contacted by safety researcher, Troy Hunt, who had been despatched the stolen knowledge as a consequence of operating the haveibeenpwned knowledge breach notification service.
Hunt has since tweeted to verify that almost all of the stolen credentials have been already in his database (though he seems to have tweeted the unsuitable date for the Imgur hack):
Imgur hasn’t confirmed how the breach occurred as but — saying it’s nonetheless investigating. Though it does notice that in 2014 it was utilizing an older hashing algorithm (SHA-256) for encrypting passwords in its database, and suggests the hackers might thus have decrypted the stolen credentials utilizing a brute pressure assault.
“We updated our algorithm to the new bcrypt algorithm last year,” it provides.
Unhappy to say, knowledge breach disclosures are an all too common incidence today.
And a breach affecting 1.7M customers seems nearly modest as compared beside a number of the not too long ago disclosed mega-hacks.
Principally, Yahoo’s large hacks in 2013 and 2014 — which apparently affected all three billion of its accounts.
But additionally simply final week Uber disclosed an enormous hack that compromised the private knowledge of 57M Uber customers and drivers.
What’s notable right here is the obvious pace of disclosure. So whereas Imgur says it solely turned conscious of the hack on November 23, by the morning of November 24 it had begun notifying impacted customers (by way of their registered e-mail tackle), and forcing password resets.
It additionally made a public disclosure of the breach by way of its weblog put up on November 24, at 4PM PST.
Evaluate that with Uber — which saved quiet a few large October 2016 breach for the most effective a part of a 12 months, having discovered that hackers stole the person knowledge in November 2016.
In Uber’s case, the compromised info additionally included PII (names, addresses, telephone numbers and round 600,000 US drivers’ licenses). So the related dangers to customers — reminiscent of ID theft — is bigger.
One other factor to notice is that new guidelines incoming within the European Union will set an information breach disclosure normal of 72 hours from Might subsequent 12 months. And below the GDPR knowledge controllers may even face far stiffer penalties for failing to conform.
So, for instance, below Europe’s incoming guidelines the current breach disclosed by Equifax — affecting ~143M shoppers, together with some in Europe, and together with names, addresses, dates of start, Social Safety numbers, drivers’ licenses and (for a subset) bank card data — might have resulted in a positive as excessive as $68.5M, primarily based off of projections for the corporate’s full 12 months income for 2017.
Whereas corporations that disclose breaches promptly — as Imgur seems to have accomplished right here — can be at far decrease danger of being slapped with giant fines below GDPR, if they’re additionally dealing with European residents’ knowledge.
So maybe, because the monetary dangers of storing and dealing with person knowledge step up, we’ll begin to see extra knowledge breaches disclosed promptly. Whereas, over time, EU lawmakers’ hope is there can be fewer main breaches occurring as safety and knowledge safety will get given much more government precedence.