Imgur Warns: Old Breach Compromised 1.7 Million AccountsAccess Credentials Stolen in 2014 From Popular Photo-Sharing Service Surface
The steady stream of reports about years-old breaches continues. The latest such data breach report: Imgur, the popular photo-sharing service, has belatedly warned users that 1.7 million accounts were compromised in 2014.
Imgur says it was unaware of the breach until it received a heads-up on Nov. 23 from Troy Hunt, an Australian data breach and security expert. One day later, Imgur posted a notification on its website saying it will notify affected users and force these users to reset their passwords.
"While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response," says Roy Sehgal, Imgur's chief operating officer, in a statement.
Imgur says no personally identifying information is at risk because the service does not collect information such as real names, addresses or phone numbers.
I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT— Troy Hunt (@troyhunt) November 25, 2017
Imgur's breach alert comes after data from several breaches that occurred years ago were passed to Hunt by an anonymous source. Hunt says the same person who passed him the Imgur data also gave him data from Reverb Nation, Kickstarter, Bitly, Disqus and three other services. The source's motivations are unclear.
Weak Passwords Cracked
Imgur says that when the credentials were stolen, it was hashing passwords using the SHA-256 algorithm. Hashing is the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer to store.
Hashing is supposed to be a one-way, irreversible process. But more powerful computing power has eroded the safety of using certain algorithms, including SHA-256, particularly when users pick a weak password and services allow them to do so (see Why Are We So Stupid About Allowing Overused Passwords?).
Hunt says he received 1.7 million Imgur usernames and plain text passwords, which means someone had already cracked the hashes created by Imgur. Most of the passwords are weak, Hunt says.
Hunt says he's added all of the email addresses to his Have I Been Pwned free data breach notification service, which emails breach victims whenever their credentials appear in a dump (see Troy Hunt: The Delicate Balance in Data Breach Reporting).
The data in the form that Hunt received it could have been easily used for so-called "credential stuffing" attacks. Those involve taking compromised credentials from one service and seeing if the data unlocks accounts on other services.
Imgur has not said if the hashes had "salt" and didn't immediately respond to a request for comment. Salt is an additional security measure that makes it tougher to crack the hash. But Hunt says Imgur's failure to be using salt in 2014 wouldn't be surprising, noting that Imgur's password-storage scheme likely "would have been a design decision made many years before that."
Evidence of a Larger Breach?
As of two years ago, Imgur claimed to have 150 million monthly active users. Using that figure, the number of compromised accounts reported by Hunt represents to be a small percentage of its overall user base.
But many of the large breaches revealed in recent times - such as Yahoo, Dropbox and LinkedIn - compromised a much larger percentages of users. Could more data have been taken from Imgur than what is now known?
Hunt says it's possible that what he received were just the accounts that had the easiest password hashes to brute-force crack.
But it may be impossible for even Imgur to determine if it fell victim to a much larger breach. Breaches such as Imgur's breach "date back years," Hunt says. "The ability to actually go through and do any sort of degree of forensics is especially hard."
Indeed, architectural changes undertaken over the years can limit an organization's ability to recover meaningful clues, security experts say. And unless organizations think ahead about the type of data they should be collecting now to aid any future incident response efforts, they will often have a tough time figuring out what happened even in the wake of a relatively fresh breach (see Equifax's May Mega-Breach Might Trace to March Hack).
Imgur's Belated Move to Bcrypt
Imgur says that last year, it began hashing passwords with bcrypt. While it takes computers much more time to calculate bcrypt hashes than SHA-256 hashes, the latter has fallen out of favor due to the relatively poor protection it offers.
"Obviously, bcrypt is the right thing to do," Hunt says.
But Hunt says Imgur didn't indicate the "work factor" it uses in combination with bcrypt, which increases the processing that an attacker would have to bring to bear to try and brute-force any given hash.
One problem, however, is that until 2016, Imgur was apparently using SHA-256 without a salt, "which is really starting to push the bounds of acceptable cryptographic storage," Hunt says.
Although Imgur has moved to bcrypt, the shift likely only applies to passwords that have been created since it made the move. Imgur didn't immediately respond to a request for comment. But it's likely that Imgur has a mix of older SHA-256 hashes as well as newer bcrypt hashes. This situation is not unusual for service providers, which seem to fear that forcing password resets on all users will lead users to abandon their service.
Service providers could force such moves in one clean sweep by forcing everyone to reset their passwords. But beyond potentially annoying users, such a move is often an indication that the company suspects it may have suffered a breach.
Another option would be to transition users to the new type of password hashing by taking any plain text passwords and hashing them with bcrypt. But that approach also prolongs the period of time when there's a mix of both bcrypt and other hashes, Hunt says.
Instead, Hunt advises organizations to just wrap bcrypt around everything. For Imgur, for example, this would involve taking the SHA-256 hashes and hashing them again with bcrypt. "It avoids this sort of problem where you've got one foot in both camps, and you get popped halfway through it," Hunt says.