Imgur Discloses Security Breach That Occurred in 2014 | eWeek

1.7M Accounts Breached in Imgur Attack that Occurred in 2014

Imgur
Nov 27, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

While most Americans were celebrating the Thanksgiving holiday on Nov. 23, image hosting site imgur was dealing with a data breach report. Security researcher Troy Hunt who operates the Have I Been Pwned website, informed Imgur of the security incident after he received data from an alleged breach.

“On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches,” Roy Sehgal, Chief Operating Officer at Imgur wrote in a data breach notice. “He believed he was sent data that included information of Imgur users.”

The actual incident occurred in 2014 and includes information on 1.7 million Imgur user accounts. Even though Imgur was alerted to the breach on a U.S Holiday, it reacted quickly to both confirm the that authenticity of the breached data and to help reduce any potential risk to users.


“I want to recognize @imgur‘s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them, mobilizing people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure,” Hunt wrote in a Twitter message on Nov. 24.

According to Imgur, the user account information that was stolen included only email address and passwords. The company stated that it does not collect real names, phone number or addresses. Imgur began to notify impacted users on Nov. 24, and required those users to update their passwords.

At this point, it’s not entirely clear how the Imgur systems were breached or why it took three years for the breach to be discovered, as the investigation is still ongoing.

“We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time,” Sehgal wrote. “We updated our algorithm to the new bcrypt algorithm last year.”

Bcrypt is an advanced secure hashing algorithm that is considered by security experts to be more secure than SHA-256 hash for a number of reasons. Bcrypt hashes are “salted” by default, which means they include a random data element that is included in a hash to make it more secure than a SHA-256 hash.

Imgur makes use of Amazon’s S3 cloud storage service for hosting images and was among many sites that were hit by the Amazon S3 outage on Feb.28 that impacted services for several hours. S3 has been the subject of security researcher scrutiny in recent years, that has lead to multiple data breach disclosures, typically as a result of organization not properly securing their data access credentials. Among the most recent data breach disclosures associated with S3 usage was one involving the U.S. Department of Defense CENTCOM data on Nov. 17. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.