Late Friday night, Imgur came clean about a security breach that took place in 2014. During the incident, Imgur says an unknown attacker managed to steal details on 1.7 million users, representing about 1.13% of Imgur's total 150 million users.
According to Imgur Chief Operating Officer Roy Sehgal, hackers didn't steal much information because Imgur never asked users for troves of data at sign-up in the first place.
Only emails and password hashes were lost in the breach. Imgur said the passwords were hashed using the SHA-256 algorithm, currently deemed breakable, but at very high computational costs, and out of the reach of many lowly hackers.
Imgur also said that in 2015 it switched password hashing operations to the more secure bcrypt algorithm.
Nonetheless, the company is currently prompting all users included in the 2014 breach and asking them to change their passwords.
The image hosting site is only now notifying users because it only found out about the breach on Thanksgiving. It was security researcher Troy Hunt who notified the company after he received a copy of the stolen user details himself. Hunt runs the Have I Been Pwned? service and he regularly receives such data from unknown sources.
Hunt lauded the company's quick response, even on a national US holiday, revealing it took the company 25 hours and 10 minutes to notify users and publicly disclose the incident.
Hunt made this comment after this week it was revealed that Uber suffered a data breach last year, but the company only now notified users after paying a ransom of $100,000 to hackers to keep quiet about the incident.
I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT— Troy Hunt (@troyhunt) November 25, 2017