Popular image hosting website Imgur, which is often closely associated with the social news sharing website Reddit, experienced a data breach last week that exposed the login information of nearly two million users.

The incident was confirmed by the site’s chief operating officer Roy Sehgal in a blog post. Sehgal said Imgur was contacted by a security researcher last Thursday about a potential breach and discovered 1.7 million usernames and passwords had been compromised by an attacker.

The breach that resulted in the stolen user information took place in 2014. Details of how the attacker was able to successfully breach the site are still unknown and Imgur’s COO said the company is still investigating the origins of the attack.

Because Imgur isn’t a social network in the way that a Facebook or Twitter is, the company never asked users for personally identifiable information like real names, addresses or phone numbers. The only information exposed in the breach were usernames and passwords.

While Imgur may not ask for personal information from its users, it does host images that users may not have intended to be seen by prying eyes. A hacker could gain access to potentially embarrassing or compromising photos uploaded to a user’s account.

Imgur encrypts the passwords that it stores in its database—a practice Sehgal said the company has “always” used—the encryption algorithm used at the time of the breach is vulnerable to cracking.

Sehgal warned the SHA-256 hashing algorithm used to encrypt passwords at the time of the breach is vulnerable to a brute force attack—an attack in which every possible combination is guessed until the correct combination of characters is discovered to find the decryption key—and the passwords could be exposed.

Imgur has started reaching out to users who were affected by the breach via email. Those who are believed to have been compromised will be required to change their passwords the next time they go to login to the image hosting service.

The breach affected just a fraction of Imgur’s userbase—about one percent of its more than 150 million registered accounts that are active every month. However, for the 1.7 million caught in the breach, the exposure of their email address and password could be compromising beyond Imgur.

Many people reuse passwords or use variations of the same password—a practice that would allow an attacker to compromise any number of accounts that share the same or similar password as the one associated with their Imgur account. An email address and password is often enough information for a hacker to compromise other accounts that may store more personal information or sensitive data.

Troy Hunt, a security researcher who maintains the website Have I Been Pwned —a valuable resource that informs people if their email appeared in a data breach—added the database of compromised Imgur accounts to his site. Users can enter their email address and see if their account was affected by the breach.

According to Hunt, about 60 percent of the email addresses that appeared in the Imgur breach were already in the database, meaning they were also compromised in at least one other major breach.

RELATED STORIES
Security Security