Image-hosting site turned meme social network, Imgur, is the latest tech service to âfess up to a security breach. In a blog postÂ Friday it revealed that hackers had compromised its systems in 2014, with ~1.7M emails and passwords affected.
No additional information was apparently compromised in the breach.
âImgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (âPIIâ), so the information that was compromised did NOT include such PII,â it emphasizes.
While the hack occurred three years ago, Imgur says it only came to light on November 23 â when it was contacted by security researcher, Troy Hunt, who had been sent the stolen data as a consequence of running theÂ haveibeenpwnedÂ data breach notification service.
Hunt has since tweeted to confirm that the majority of the stolen credentials were already in hisÂ database (although he appears to have tweeted the wrong date for the Imgur hack):
Imgur hasnât confirmed how the breach occurred as yet â saying itâs still investigating. Although it does note that in 2014 it was using an older hashing algorithm (SHA-256) for encrypting passwords in its database, and suggests the hackers could thus have decrypted the stolen credentials using a brute force attack.
âWe updated our algorithm to the new bcrypt algorithm last year,â it adds.
Sad to say, data breach disclosures are an all too regular occurrence these days.
And a breach affecting 1.7M users appears almost modest in comparison beside some of the recently disclosed mega-hacks.
Principally, Yahooâs massive hacks in 2013 and 2014 â which apparently affected all 3BN of its accounts.
But also just last week Uber disclosed a huge hack that compromised the personal data ofÂ 57M Uber users and drivers.
What is notable here is the apparent speed of disclosure. So while Imgur says it only became aware of the hack on November 23, by the morning of November 24 it had begun notifying impacted users (via their registered email address), and forcing password resets.
It also made a public disclosure of the breach via its blog post on November 24, at 4PM PST.
Compare that with Uber â which kept quiet about a massive October 2016 breach for the best part of a year, having learned that hackers stole the user data in November 2016.
In Uberâs case, the compromised information also included PII (names, addresses, phone numbers and around 600,000 US driversâ licenses). So the associated risks to users â such as ID theft â is greater.
Another thing to note is that new rules incoming in the Europe Union will set a data breach disclosure standard of 72 hours from May next year. And under the GDPR data controllers will also face far stiffer penalties for failing to comply.
So, for example, under Europeâs incoming rules the recent breach disclosed by Equifax â affecting ~143M consumers, including some in Europe, and includingÂ names, addresses, dates of birth, social security numbers, driversâ licenses and (for a subset) credit card info âÂ could have resulted in a fineÂ as high as $68.5M, based off of projections for the companyâs full year revenue for 2017.
Whereas companies that disclose breaches promptly â as Imgur appears to have done here â will be at far lower risk of being slapped with large fines under GDPR, if they are also handling European citizensâ data.
So perhaps, as the financial risks of storing and handling user data step up, weâll start to see more data breaches disclosed promptly. While, over time, EU lawmakersâ hope is there will be fewer major breaches occurring as security and data protection gets given far more executive priority.