1.7 Million Imgur Passwords and Emails Stolen by Cyber Attackers in 2014

Imgur proudly states that the images available on imgur.com are the most viral. Unfortunately, it appears that the company should be focusing less on striking slogans and more on the protection of its users. On 23rd of November, Troy Hunt, a web security expert behind haveibeenpwned.com, informed about a massive data breach linked to the company. According to Zach Whittaker at ZDNet, the expert received stolen data and immediately warned the CEO of Imgur about the data breach, and, by the time an official statement was released the following data, 60% of 4.8 billion records had been placed on the “Have I Been Pwned?” website for users to check the security of their data. Unfortunately, this is not the first or, most likely, the last time a big volume of data was breached. However, in most cases, it does not take 4 years for the breach to be detected.

It appears that no one is safe when it comes to virtual data breaching. More recently, we had reported the data breaches linked to Equifax Inc., when the data of 143 million Equifax users was breached, or Apple Inc., who informed that sensitive data was breached and sold for $7.38 million. According to the official report by Imgur’s COO, Roy Sehgal, the data of 1.7 million Imgur users was stolen, and that it happened in 2014. At this time, it is not yet known how exactly this happened, but it is believed that data was leaked due to a weak encryption algorithm (SHA-256) that was used back in 2014. If that is the case, it is possible that the data of users who signed up after the algorithm update in 2016 is safe. That being said, other data breaches could still be discovered. The current breach, according to Seghal, affected email addresses and passwords, which is highly sensitive data that could be used to hijack Imgur accounts.

The Imgur data breach is particularly dangerous to those users who set up the same passwords and use the same email address for multiple accounts. In this case, all of these accounts could be affected by the attackers linked to the breach. According to the official statement, all users affected by the situation were/currently are notified via their email addresses to change passwords. This, undoubtedly, is the first step that must be taken. Of course, it is a good idea to change passwords of other accounts if they are identical to the one breached. Setting up a strong password is not difficult. While this password should be memorable, it should include uppercase and lowercase letters, as well as numbers and characters. It is also possible to employ the help of password managers and password generators. That is the part that the user has to take care of on their own. Imgur has also listed support@imgur.com as an email address customers could use to contact the company and discuss the breach further.

Although the spotlight right now in on Imgur, this is not the only company that might be dealing with security issues, and no one knows which one could be targeted by cyber attackers next. This is why it is crucial that companies take responsibility and better care of their users. Users themselves need to be cautious, and setting up strong, unique passwords is crucial. To take it up a notch, it is recommended that passwords are updated frequently. It is also important for users to keep up with security updates so that any data breaches or other security issues are not left unnoticed.


Sehgal, R. November 24, 2017. Notice of Data Breach. Imgur Blog.
Whittaker, Z. November 25, 2017. Imgur confirms email addresses, passwords stolen in 2014 hack. ZDNet.