Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for November 2017 is… the recently discovered breach of user information at Imgur.
Our choice for November’s data breach of the month is a smaller scale, and less damaging incident than some of the others we’ve covered, but it has some characteristics that make it an interesting case study. The breach in question was 1.7 million email addresses and passwords belonging to users of Imgur, a popular photo-sharing website. Similarly to last month’s breach at Disqus, the Imgur breach was spotted years after the fact by Troy Hunt of Have I Been Pwned, who was sent stolen Imgur data and alerted the company.
Fortunately, no personally identifiable information (PII) was stolen. This is because Imgur does not require personal information from its users beyond an email address and password.
The method is suspected to have been a brute force attack against the SHA-256 algorithm that was being used at the time to encrypt passwords in the database.
The breach occurred in 2014, and Imgur updated their algorithm in 2016 to a stronger password scrambler called bcrypt. Companies who are still using SHA-256 should consider doing the same. Bcrypt is resistant to brute force attacks because it uses a technique called “key stretching”, which continually slows down the time it takes to test each possible key during a series of attempts.
The impact of the breach was also greatly reduced by the fact that Imgur was not storing the personally identifiable information (PII) of its customers. Storing PII makes you a target for hackers and opens you up to compliance risk, so it is worth considering what customer data you actually need to have.
As was also the case in the Disqus breach, Hunt praised Imgur for their quick response to the event. The breach was discovered on the morning of November 24th, over the Thanksgiving long weekend, but Imgur immediately mobilized personnel to assess the damage, issue a public disclosure, and begin resetting passwords. The response included immediate involvement from the CEO, COO, and VP of Engineering, and resulted in Imgur being ready to release a public statement that same afternoon. Having incident response and crisis communication plans in place will make it much easier for you to replicate this type of seamless response and negate any additional negative publicity.
Imgur also told ZDNet that they would be disclosing the breach to the California Attorney General, among other government bodies. Organizations often fail to account for compliance reporting when making incident response plans, and find themselves exacerbating their post-breach issues. When establishing your IR processes, make sure you have systems and processes in place to retain, locate, and deliver relevant information from across the organization.
While this breach may have been relatively minor, we think it is worth paying attention to because of the important data breach concepts that it relates to, such as the possibility of breaches going unnoticed for years, the importance of maintaining and upgrading security practices, the reputational benefits of rapid response, and the need to consider compliance implications.
We’ll see you back here next month for a new Breach of the Month.