1.7m Imgur accounts compromised after 2014 data breach
Usernames and passwords stolen by hackers


Picture hosting site Imgur has confirmed that 1.7 million user credentials were stolen as part of a hack that took place in 2014.
The attackers made off with email addresses and passwords, but the company stated that no other data was included in the breach, as "Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information".
The company has already begun resetting the passwords of affected users and has released a public disclosure notice detailing the breach and Imgur's response to it.
"We are still investigating how the account information was compromised. We have always encrypted your password in our database," the company stated, "but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year."
Imgur, which has around 150 million monthly users, is one of the web's most widely-used picture hosting services, hosting images that are posted to internet message boards and social networks such as Reddit.
Imgur was alerted to the breach by Troy Hunt, the security researcher behind data breach cataloguing website Have I Been Pwned. He praised the company for its swift response to the incident after he told them on Thursday.
"I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays," Hunt told ZDNet. "That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Hunt also said that more than half of the email addresses included in the incident had already appeared in Have I Been Pwned's database of previous breaches.
In addition to its users, the company said that it is planning to inform law enforcement agencies in its home state of California. "We take protection of your information very seriously and will be conducting an internal security review of our system and processes," Imgur said. "We apologize that this breach occurred and the inconvenience it has caused you."
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
CISA issues warning in wake of Oracle cloud credentials leak
News The security agency has published guidance for enterprises at risk
By Ross Kelly
-
Reports: White House mulling DeepSeek ban amid investigation
News Nvidia is caught up in US-China AI battle, but Huang still visits DeepSeek in Beijing
By Nicole Kobie
-
The IT Pro Podcast: The front line of fraud tech
IT Pro Podcast With tools such as deepfakes, the future of fraud tech relies on cutting edge AI as much as good security practice
By IT Pro
-
Podcast transcript: The front line of fraud tech
IT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
By IT Pro
-
LAPSUS$ breached T-Mobile systems, stole source code
News T-Mobile has denied that the hackers obtained customer or government information
By Sabina Weston
-
Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice
News Fake companies were created using the stolen identities of hundreds of Shiseido employees, former staff claim
By Sabina Weston
-
What is smishing?
In-depth A closer look at one of the most perilous forms of phishing
By Praharsha Anand
-
SentiLink raises $70 million for its identity verification platform
News SentiLink’s ID Theft Score helps businesses combat synthetic fraud
By Praharsha Anand
-
More than half of businesses saw rising fraud levels this year
News Each individual identity fraud attempt could cost an organisation between £1,000 and £4,999 on average
By Sabina Weston
-
A simple guide to the dark web
Whitepapers Why the continued rise of the dark web is a threat to corporate data and why businesses need to take action
By ITPro