Imgur Confirms Email Addresses, Passwords Stolen In 2014 Hack

An anonymous reader quotes a report from ZDNet: Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014. The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers. Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers. The stolen accounts represent a fraction of Imgur's 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed. A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.

who uses imgur with login?

[Speare]

I don't use imgur in any sort of commentary capacity. You don't need to log in to post images, and that's the key draw, or so I thought. To me it's simply an anonymous pastebin for images. I'm actually amazed anyone has given imgur their email address to begin with.

Re:who uses imgur with login?

[Mashiki]

Imgur has a huge community of basically viral ad marketers, and rampant narcissism. It's basically the equivalent of neogaf in terms of commentary quality.

Re:

[fazig]

It's a hive mind with herd and mob mentality when it comes to the comment section. But I have to admit that it is not too far from what slashdot is nowadays, when I see strawman fallacies, false dichotomies, and whataboutism getting modded insightful.

Re:

[JustAnotherOldGuy]

It's a hive mind with herd and mob mentality when it comes to the comment section.

Can confirm.

If you voice an opinion that falls even slightly outside the groupthink of the Imgur community, you'll be innundated with downvotes, hate mail, and comments telling you to die. They have NO tolerance for anyone that doesn't hew to the Imgur party line, no matter how innocuous, true, or fair your comment is.

It's also been infested with astroturf accounts selling/promoting shit, and this is WITH the full knowledge and cooperation of the admins there (because they get a cut of the profits, of cours

Re:

[Bloxclay]

funny btw that they should mention have I been pwned some one at the collage introduced me to that site about 3-4 months ago along with one of those websites sadly I can't remember the name of where you input a website url and it checks if it has been compromised or if it is safe;.

wow

[AndyKron]

They didn't even know it happened.

Re:

[ShanghaiBill]

They didn't even know it happened.

That should not surprise you. Most intrusions and data thefts are not detected. Some estimates are that for every breach you hear about, there are ten that you don't.

Re:

[AC-x]

if they think that you use SHA-256 to __scramble__ data, then obviously they know jack shit about security

Those are the words of ZDNet, not Imgur.

Imgur said the passwords were encrypted with SHA-256, which of course is even worse! Probably didn't use a salt either...

Passwords

[Hal_Porter]

It doesn't matter if your password is stolen if you only use it for one site.

I ended up doing something like this. Put it in ~/.bash_profile

function randpass
{
openssl rand 4096 | openssl dgst -binary -sha512 | openssl dgst -binary -sha512 | openssl base64 | tr -d "/=+\n" | head -c ${1:-32}
}

I.e. get 4096 bytes of random data from openssl. Hash it to sha512 a couple of times to shuffle the bits. Then encode to base64. Remove any characters that might cause problems leaving [A-Za-z0-9] which most sites allow.

Re:

[AC-x]

Actually once I got this to work I invented a more elaborate version that encrypted with a per device private RSA key, randomized the number of sha512 hashing stages and so on. But that only matters if you think an attacker can work out what openssl rand returned on your device, which they probably can't.

Why not just read cryptographically secure random bytes from /dev/random ?

Re:

[Hal_Porter]

openssl rand n does use /dev/urandom on a Unix like OS, but it doesn't just directly read n bytes from it, it does a bit of munging, like reading a few bytes at startup and using that as a seed for its own PRNG.

https://security.stackexchange... [stackexchange.com]

And of course openssl works on OSs that don't have a /dev/urandom at all - e.g. on Win32 it calls Win32 crypto function to get a seed and then uses that for its own PRNG.

Basically the openssl guys don't seem to trust /dev/urandom to be random. E.g. the stack exchange

Re: Passwords

[AC-x]

I said /dev/random, not /dev/urandom :P /dev/random is supposed to be cryptographically secure on its own, and as you're only generating occasional passwords with it there shouldn't be any problem of exhausting the entropy pool.

Re:

[Hal_Porter]

Well I want the script to run on macOS, Windows Cygwin and Linux. I dunno if I trust either /dev/random or /dev/urandom on all of those. And openssl and bash are installed on all of them. I trust the openssl guys more than I trust the OS vendors not to have some backdoor or a cryptographically crippled /dev/[u]random.

Re: Passwords

[AC-x]

Sure, but generally it's better to use an existing cryptographically secure system then trying to roll your own, as there's always the possibility of making a mistake and making the previously secure random less secure.

Also OpenSSL doesn't exactly have a perfect security record!