Imgur confirmed this weekend that a 2014 hack exposed the email addresses and passwords of approximately 1.7 million user accounts.

"We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year," Imgur COO Roy Sehgal wrote in a blog post.

Imgur notes that only email addresses and passwords were affected by this security issue, as the company doesn't ask users for any other personally identifying information. It is now reaching out to affected users, whose passwords have been reset.

Going forward, Imgur suggests that users create strong, frequently updated passwords, and that they use unique combinations of users names and passwords for logging into websites and web services.

"We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you. If you have questions, we encourage you to contact us at [email protected]," Sehgal writes.

Related Reddit Ditches Imgur for Its Own Image Upload Tool

Troy Hunt, who runs the website Have I Been Pwned, initially received the stolen list of user accounts and passwords—60 percent of which already exist in his website's tracking database. As ZDNet notes, he disclosed the security breach to Imgur on Thursday, and praised the company for its speedy, off-hours response.

"I disclosed this incident to Imgur late in the day in the midst of the US Thanksgiving holidays. That they could pick this up immediately, protect impacted accounts, notify individuals and prepare public statements in less than 24 hours is absolutely exemplary," Hunt told ZDNet

Further Reading

Security Reviews