Imgur has stolen a base from 1.7 million anonymous user accounts

Imgur office

The image hosting service Imgur officially acknowledged the fact of hacking its servers in 2014, resulting in a leak of 1.7 million user accounts, with email addresses and password hashes in SHA-256.

Hacking turned out quality. During the past three years, the sysadmins of Imgur had no idea that something similar had happened. The developers learned about the fake only after the user information was actually made publicly available. To her honor, Imgur responded promptly, did not deny anything and immediately began to notify users.

Imgur is one of the most popular image hosting sites in the world. All pictures are stored here forever. The site was launched in 2009 by a student at the Ohio Department of Computer Science, Alan Schaaf. Due to the high cost of hosting, he had to change hosting providers several times (now it is Amazon Web Services), since 2009 banner advertising appeared on the site, since 2010 paid accounts, and since 2013 sponsor images. But in 2014, the site received $ 40 million investment, so the problems immediately resolved.
')
From Imgur features:

• Video to gif converter and vice versa
• Meme generator
• Achivki for users

All this made it possible to quickly form a loyal audience of users around the site, who were often also Reddit users at the same time.

Chief Operating Officer Roy Sehgal in the official blog noticed that there was no leakage of any personal data of users for one simple reason - the company does not ask its users to provide personal data, only email. Service underlined anonymous.

On November 23, 2017, the company was notified of the fact of hacking by renowned security expert Troy Hunt (Troy Hunt), the creator of Have I Been Pwned . This site accumulates all the stolen database of accounts and provides users with the possibility of full-text search for them (to find out if their accounts have been stolen somewhere).

Roy Segal recalls that on November 23 everyone celebrated Thanksgiving Day. The letter was sent at noon, but the operating director read it only late at night. Despite the evening of the holiday, he immediately notified the founder / executive director and vice president of engineering. Those contacted Troy Hunt and agreed to transfer the database through secure channels so that they could study it. The transfer took place.

A quick leak analysis confirmed its authenticity, and the notification in the official blog for users took place the next day, that is, on November 24. Hunt was really impressed by the reaction time of 25 hours and 10 minutes, as he tweeted.


1.7 million people are a tiny portion of the current audience of about 150 million Imgur users (monthly audience).

Troy Hunt also conducted a baseline analysis and found 60% of duplicates. These are email addresses of accounts that have leaked even earlier, as a result of hacking of other sites. In total, the database has 4.8 billion records.

SHA-256 hashes are vulnerable to brute force attacks, so in 2016 Imgur switched to a more robust bcrypt hashing algorithm.

Since all users are anonymous, the risk of this data leakage is quite small. Firstly, it concerns only those who used Imgur in 2014. Secondly, the only information that an attacker can get is an email address and a password for the account on the site. If this password is used only on this site, then there will be nothing particularly terrible. Well, except that you can lose your photos and hand-made memes.

Another thing, if this password coincides with the password of the e-mail, and there is no two-factor authentication. That's when the attacker will have fun in full. But the leak took place a long time ago, and if he has not done it yet, he is unlikely to do so. However, on the morning of November 24, the company began sending notifications to all users whose accounts were found in the database, asking them to change their password immediately.

And the security department at Imgur seems to be completely absent - at least, there is no mention anywhere of the presence of either such specialists or such a department. And why is it needed if the company does not store any personal data. Simple hosting of images from users, pure UGC. It is enough to make backups - that's all security.

As usual, users are asked to use complex passwords that are different for all sites, and change them regularly.

Imgur is currently investigating the hacking circumstances. In addition, a thorough analysis of all Imgur systems and processes has begun for security.