Good news - Imgur has been hacked!
Not quite ‘good’ news, but although hackers stole 1.7 million email addresses and passwords, best-practice company response hailed by experts...
Another day, another historical breach announcement, this time from image sharing service Imgur. The company has disclosed that a security breach in 2014 affected the email addresses and passwords of 1.7 million user accounts. The company said it is still “actively investigating the intrusion”.
The timeline began on the afternoon of November 23rd, when security researcher Troy Hunt (owner of data breach notification service Have I Been Pwned) emailed Imgur with his suspicion that he had uncovered data stolen from Imgur users. Within 24 hours, the company had securely received the data in question and validated the breach: “On the morning of November 24th, we began notifying impacted users via their registered email address. We are immediately requiring that these users update their password. We also published this public disclosure at 4PM PST”, said the company in a statement.
Hunt himself praised Imgur's efforts and quick response: "I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays," said Hunt. "That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary", he told ZDNet.
Imgur is still investigating the breach, but told users that limited personal data - email addresses and passwords - might have been compromised by brute-forcing an older hashing algorithm (SHA-256). The company updated to the new bcrypt algorithm last year.
Ilia Kolochenko, CEO of web security company, High-Tech Bridge commented: “These days, data breaches have become a sad daily routine. They will likely continue their skyrocketing growth, bringing more and more financial and reputational damages both to the victims and the breached companies. The core problem is perpetual effect of each breach – attackers may use compromised credentials, or other sensitive data, in password reuse and social engineering attacks years after the original breach. And the more breaches occur, the more successful further attacks become as cybercriminals accumulate huge amount of data about us.
“To minimize the domino effect of unavoidable breaches, users shall use strong and unique passwords, and provide as little sensitive, or confidential, information about themselves as reasonable in all their online accounts. While companies should better tackle application security, giving particular attention to continuous monitoring and advanced application security testing, not just automated vulnerability scanning.”
Certainly Imgur won’t be the last big-name site or service to be breached, and isn’t even the last this week, with news breaking around a breach around Bulletproof Coffee breaking right now. However, Imgur appears to have dealt with the inevitable breach in a robust and timely manner, which deserves to be the cause of some muted celebration at least. If every high-profile enterprise dealt with data leaks and breaches so summarily, and also having clearly put solid and actionable processes in place to deal with such an event, then business and consumer confidence in digital products and services could well be improved.
From a European perspective, it is certainly broadly in tune with the move to GDPR compliance next year - a move that the ImmuniWeb Application Security Testing Platform can now support directly, as a recent update now enables the detection and logging of any GDPR non-compliance in your web applications.
Not quite ‘good news’, but certainly ‘better news’ all round...