MEME SHARING WEBSITE Imgur has admitted that 1.7 million email addresses and passwords were compromised in a 2014 breach that was only recently uncovered.
Imgur said on Friday that it first learned of the three-year-old hack via a security researcher, who has been outed by ZDNet as Troy Hunt, the creator of breach data breach notification service Have I Been Pwned.
Hunt notified Imgur of the breach on Thursday (Happy Thanksgiving!) and the firm was quick to notify affected users, of which there were 1.7 million. Imgur said that hackers took passwords scrambled with SHA-256, which it has since replaced with a stronger algorithm.
"We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time," Imgur said in a statement. "We updated our algorithm to the new bcrypt algorithm last year."
Imgur said the breach didn't include personal information because it has "never asked" for real names, addresses, or phone numbers.
"While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response," Imgur said.
Hunt has praised Imgur's quick response in a statement given to ZDNet, saying: "I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays,
"That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."
Imgur's response is a far-cry from Uber's approach. The crapsicab firm recently covered up a hack under the leadership of now-ousted CEO Travis Kalanick, despite exposing the data of 57 million drivers and users of the ride-hailing service.
According to reports, Kalanick paid the hackers $100,000 to delete the data it collected and then failed to warn potential victims. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe