Imgur says that 1.7 million emails and passwords were violated in the 2014 hack


The image hosting site turned into a social network meme, Imgur, is the latest technological service that confesses a security breach. In a blog post, on Friday it revealed that hackers had compromised their systems in 2014, with ~ 1.7M of affected emails and pbadwords.

Apparently no additional information was committed in the violation.

"Imgur has never asked for real names, addresses, telephone numbers or other personally identifiable information (" PII "), so the information involved did NOT include said PII", he emphasizes.

While the trick happened three years ago, Imgur says it only came to light on November 23 – when he was contacted by security researcher Troy Hunt, who had been sent the stolen data as a result of running the Data breach notification service haveibeenpwned.

Hunt has tweeted since then to confirm that most of the stolen credentials were already in his database (although he seems to have tweeted the wrong date for Imgur's trick):

Imgur has not confirmed how the violation so far, saying he is still investigating. Although he notes that in 2014 he used an older hash algorithm (SHA-256) to encrypt pbadwords in his database, and suggests that hackers could have deciphered the stolen credentials using a brute-force attack.

"We updated our Algorithm to the new bcrypt algorithm last year," he adds.

Sad to say, revelations of data breaches are an all too common occurrence these days.

And a gap that affects 1.7 million users seems almost modest in comparison, next to some of the recently disclosed mega-hacks

Mainly, Yahoo's mbadive hacks in 2013 and 2014, which apparently affected to all 3BN of your accounts.

But also last week Uber revealed a huge hack that compromised the personal data of 57M Uber users and drivers.

What is remarkable here is the apparent speed of disclosure. Then, while Imgur says he only heard about the attack on November 23, on the morning of November 24, he had started notifying the affected users (through his registered email address) and forcing the resetting of pbadwords.

He also made a public disclosure of the violation through his blog on November 24, at 4 p.m. PST.

Compare that with Uber, who was silent about a mbadive October 2016 rape for most of a year, after learning that hackers stole user data in November 2016.

In the case of Uber, the information involved also included PII (names, addresses, telephone numbers and about 600,000 US driver's licenses). Therefore, the badociated risks for users, such as identity theft, are greater.

Another thing to note is that the new incoming rules in the European Union will establish a 72-hour data breach disclosure standard from May next year. And under the GDPR data controllers will also face much more severe penalties for not complying.

Thus, for example, under the incoming rules of Europe, the recent violation disclosed by Equifax – affects ~ 143 million consumers, including some in Europe, and includes names, addresses, dates of birth, social security numbers, Driver's licenses and (for a subset) credit card information – could have resulted in a fine of up to $ 68.5M, according to projections of the company's annual revenues for 2017. [19659002] While companies that report infractions quickly – as Imgur seems to have done here – they will have a much lower risk of being slapped with large fines under GDPR, if they are also handling the data of European citizens.

Then maybe, as the financial risks of storing and managing user data increase, we will begin to see more violations of data disclosed promptly. While, over time, the hope of EU lawmakers is that there will be fewer major breaches as security and data protection receive much more executive priority.

Source link

Leave a Reply

Your email address will not be published.