While most Americans were celebrating the Thanksgiving holiday on Nov. 23, image hosting site imgur was dealing with a data breach report. Security researcher Troy Hunt who operates the Have I Been Pwned website, informed Imgur of the security incident after he received data from an alleged breach.
"On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches," Roy Sehgal, Chief Operating Officer at Imgur wrote in a data breach notice. "He believed he was sent data that included information of Imgur users."
The actual incident occurred in 2014 and includes information on 1.7 million Imgur user accounts. Even though Imgur was alerted to the breach on a U.S Holiday, it reacted quickly to both confirm the that authenticity of the breached data and to help reduce any potential risk to users.
"I want to recognize @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them, mobilizing people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure," Hunt wrote in a Twitter message on Nov. 24.
According to Imgur, the user account information that was stolen included only email address and passwords. The company stated that it does not collect real names, phone number or addresses. Imgur began to notify impacted users on Nov. 24, and required those users to update their passwords.
At this point, it's not entirely clear how the Imgur systems were breached or why it took three years for the breach to be discovered, as the investigation is still ongoing.
"We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time," Sehgal wrote. "We updated our algorithm to the new bcrypt algorithm last year."
Bcrypt is an advanced secure hashing algorithm that is considered by security experts to be more secure than SHA-256 hash for a number of reasons. Bcrypt hashes are "salted" by default, which means they include a random data element that is included in a hash to make it more secure than a SHA-256 hash.
Imgur makes use of Amazon's S3 cloud storage service for hosting images and was among many sites that were hit by the Amazon S3 outage on Feb.28 that impacted services for several hours. S3 has been the subject of security researcher scrutiny in recent years, that has lead to multiple data breach disclosures, typically as a result of organization not properly securing their data access credentials. Among the most recent data breach disclosures associated with S3 usage was one involving the U.S. Department of Defense CENTCOM data on Nov. 17.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.