Imgur Chief Operating Officer, Roy Sehgal, announced that the breach befell in 2014. Sehgal explains that Imgur does not collect names, addresses, or phone numbers from its users and that only user e-mails and password information was leaked. According to ZDNet, Troy Hunt, who runs the information service Have I Been Pwned, got the data, and adapted over the data to Imgur.
The company announces that it’s still investigating the incident, but that it believes that hackers cracked the older algorithm that was used at the time with brute force. The company upgraded its encryption in 2016.
Hunt has recommended Imgur’s swift reaction and handling of the disclosure of the breach, although some users will surely be miffed by the fact that the breach happened and they never noticed.
Unfortunately, data breaches like this one have become the new normal. Imgur says they’ve switched to scrambling user passwords with bcrypt last year. And, according to Hunt, 60% of the leaked email addresses were already in Have I Been Pwned’s database.