Slashdot Mirror

← Back to Stories (view on slashdot.org)

Imgur Confirms Email Addresses, Passwords Stolen In 2014 Hack (zdnet.com)

Posted by BeauHD on from the here-we-go-again dept.

An anonymous reader quotes a report from ZDNet: Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014. The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers. Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers. The stolen accounts represent a fraction of Imgur's 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed. A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.

38 comments

  1. Imgur is completely broken now by Anonymous Coward · · Score: 0

    Starting last night it's impossible to login. They make me do a ridiculous number of captchas and then after jumping through all those hoops, tell me I entered the wrong password. Double checked and triple checked and made sure I was entering the correct password. Same thing. Changed my password. Same thing.

    Fuck you. Seriously. Fuck you.

    1. Re: Imgur is completely broken now by Anonymous Coward · · Score: 0

      They are collecting your passwords for your other accounts.

  2. imagine ur by Anonymous Coward · · Score: 0

    sucking on my DAMN balls

  3. Imgur is reddit shit anyway by Anonymous Coward · · Score: 0

    Imgur was created for redditors to share their Rick and Morty memes. Meanwhile Goatse was created for Slashdot to share the original memes, It's even a cryptocurrency now.

    1. Re:Imgur is reddit shit anyway by Anonymous Coward · · Score: 0

      Imgur was created for redditors to share their Rick and Morty memes

      Bloody time travelers!

  4. Lurker forever by Anonymous Coward · · Score: 0

    +1 for lurker strategy

  5. who uses imgur with login? by Speare · · Score: 1

    I don't use imgur in any sort of commentary capacity. You don't need to log in to post images, and that's the key draw, or so I thought. To me it's simply an anonymous pastebin for images. I'm actually amazed anyone has given imgur their email address to begin with.

    --
    [ .sig file not found ]
    1. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      the masses are stupid. gotta tally those fake +1s, likes, thumbs-up, comments, and try to claim credit for the next viral post.

    2. Re:who uses imgur with login? by Mashiki · · Score: 3, Informative

      Imgur has a huge community of basically viral ad marketers, and rampant narcissism. It's basically the equivalent of neogaf in terms of commentary quality.

      --
      Om, nomnomnom...
    3. Re:who uses imgur with login? by fazig · · Score: 1

      It's a hive mind with herd and mob mentality when it comes to the comment section. But I have to admit that it is not too far from what slashdot is nowadays, when I see strawman fallacies, false dichotomies, and whataboutism getting modded insightful.

    4. Re:who uses imgur with login? by Bloxclay · · Score: 1

      funny btw that they should mention have I been pwned some one at the collage introduced me to that site about 3-4 months ago along with one of those websites sadly I can't remember the name of where you input a website url and it checks if it has been compromised or if it is safe;.

      --
      Switch it Off,Switch it On[SOSO] Solves 95% of all IT problems!
    5. Re:who uses imgur with login? by JustAnotherOldGuy · · Score: 1

      It's a hive mind with herd and mob mentality when it comes to the comment section.

      Can confirm.

      If you voice an opinion that falls even slightly outside the groupthink of the Imgur community, you'll be innundated with downvotes, hate mail, and comments telling you to die. They have NO tolerance for anyone that doesn't hew to the Imgur party line, no matter how innocuous, true, or fair your comment is.

      It's also been infested with astroturf accounts selling/promoting shit, and this is WITH the full knowledge and cooperation of the admins there (because they get a cut of the profits, of course). Imgur staff admitted it, and there were endless angry discussions about the fake accounts.

      So yeah, it's pretty much a shitshow now, worse than ever before.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    6. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      Enter your username, password, date of birth, and SSN here, and I'll tell you if you've been pwned!

    7. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      I use the login because I am prone to forgetting new passwords; besides i use a throwaway email id for these type of logins (for fun and profit). Keeps the main email id clear of spam, ads, pesky promos, etc.

      Mostly the login is for screenshots, and the forum would rather we point to a public imagebin like imgur, than upload large images to their forum's server for discussion purposes only(it's a tech help site)

    8. Re: who uses imgur with login? by Anonymous Coward · · Score: 0

      Your brain is broken.

    9. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      ...or you could try being a normal human being and you won't attract people mocking you.

    10. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      Remember when you said that child brides we're as American as Apple pie? That was strange.

      Can you imagine a world where you go to a website and don't immediately check the terms of service to know how annoying you're allowed to be and what you can tattle on other users for.

      I'll tell you a secret nobody gives a shit about a tos anywhere. They have little legal value and only exist to silence people who cry about getting banned. Do you believe in eulas? What about santa? What if I tell you that by not posting my name you become my servant for 1000 years. Do you believe that?

    11. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      Fat chance he won't stop saying "underage sweet thing" even though it's been clearly explained several times that it freaks people out.
      It's also been explained that any unsanctioned attempts to advertise won't go over well with slashdot.
      He's totally incapable of understanding even the most reasonable of social norms

    12. Re:who uses imgur with login? by Anonymous Coward · · Score: 0

      So how does creimer look at a dick and know that it is not only part of a 'school boy' but a Russian one??

      Unless he posted them himself. How did you know that someone posted them. You say imgur now and before that you said Russian imageboards.

      Fuckoff fat pedo piece of shit

  6. who uses imgur mobile with login? by Anonymous Coward · · Score: 0

    I think if you're using the mobile app you have to have all that.

  7. wow by AndyKron · · Score: 2

    They didn't even know it happened.

    1. Re:wow by ShanghaiBill · · Score: 1

      They didn't even know it happened.

      That should not surprise you. Most intrusions and data thefts are not detected. Some estimates are that for every breach you hear about, there are ten that you don't.

  8. O say can you see by Anonymous Coward · · Score: 0

    by the dawn's early light
    what so proudly we hail
    dah dah dah dah dah dah
    and the rocket's red glare
    the bombs bursting in air
    gave proof dah dah dah
    that out flag was still there
    so dah dah dah dah dah
    dah dah dah dah dah

    on your feet (white guys) or on your knees (black dudes)

  9. What is an imgur? by Anonymous Coward · · Score: 0

    Never heard of it.

  10. Never heard of it by Anonymous Coward · · Score: 0

    I honestly never heard of it, so I guess dodged a bullet on that one. Seriously all they can do is reset password from a 2014 hack? Yep, I just refrain from joining any sites anymore. They all seem to get hacked eventually.

  11. "Free" Image Hosting by Anonymous Coward · · Score: 0

    I stopped using Imgur when it wanted me to login to share an image. Fuuuuck that. That just leads to this shit.

    1. Re:"Free" Image Hosting by Anonymous Coward · · Score: 0

      They've never required a login. They've gotten obnoxious about promoting their app, but you can upload images "anonymously" just fine. I was surprised to see the breach was so large, I can't believe that many people actually registered an account. To me, non-attribution is the entire point of imgur.

  12. Scrambled with SHA-256? by Anonymous Coward · · Score: 0

    Well, if they think that you use SHA-256 to __scramble__ data, then obviously they know jack shit about security. So much for the people in charge of security at Imgur.

    1. Re:Scrambled with SHA-256? by AC-x · · Score: 1

      if they think that you use SHA-256 to __scramble__ data, then obviously they know jack shit about security

      Those are the words of ZDNet, not Imgur.

      Imgur said the passwords were encrypted with SHA-256, which of course is even worse! Probably didn't use a salt either...

  13. I have for months now (malware servers there) by Anonymous Coward · · Score: 0

    I have for months now (malware sites hosted there) shown RIGHT NOW as I write this, here https://safeweb.norton.com/buzz/ as (going to 'obfuscate this' as I see it done on many security site blogs) https://safeweb.norton.com/rep... stating that site is serving up exploits/malicious bs from it via imgur[.]ru...

    APK

    P.S.=> See subject - THAT is FAR from a "1st" too - & when THAT happens? I block the ENTIRE DOMAIN off in hosts after that much evidences of it... apk

  14. Passwords by Hal_Porter · · Score: 1

    It doesn't matter if your password is stolen if you only use it for one site.

    I ended up doing something like this. Put it in ~/.bash_profile

    function randpass
    {
    openssl rand 4096 | openssl dgst -binary -sha512 | openssl dgst -binary -sha512 | openssl base64 | tr -d "/=+\n" | head -c ${1:-32}
    }

    I.e. get 4096 bytes of random data from openssl. Hash it to sha512 a couple of times to shuffle the bits. Then encode to base64. Remove any characters that might cause problems leaving [A-Za-z0-9] which most sites allow. Then pick the first n chars (where n defaults to 32 and is passed as an argument)

    E.g.

    randpass

    To get the default 32 char password or you can override that on the command line if you know the maximum password the site supports. E.g

    randpass 64

    Gives a 64 char password

    I store 'em in a text file in a small TrueCrypt volume as a backup and sync that across devices. For things like imgur.com I let the browser remember them because there's nothing too critical about the account. The passwords has 62^32 combinations which is hard to brute force and even if someone did brute force it, who cares? All they'll learn is that my password to other sites needs another 62^32/2 tries to brute force which is probably not worth their time.

    And if you know the site allows longer passwords, just tell randpass on the command line. E.g

    randpass 64

    Actually once I got this to work I invented a more elaborate version that encrypted with a per device private RSA key, randomized the number of sha512 hashing stages and so on. But that only matters if you think an attacker can work out what openssl rand returned on your device, which they probably can't.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    1. Re:Passwords by AC-x · · Score: 1

      Actually once I got this to work I invented a more elaborate version that encrypted with a per device private RSA key, randomized the number of sha512 hashing stages and so on. But that only matters if you think an attacker can work out what openssl rand returned on your device, which they probably can't.

      Why not just read cryptographically secure random bytes from /dev/random ?

    2. Re:Passwords by Hal_Porter · · Score: 1

      openssl rand n does use /dev/urandom on a Unix like OS, but it doesn't just directly read n bytes from it, it does a bit of munging, like reading a few bytes at startup and using that as a seed for its own PRNG.

      https://security.stackexchange...

      And of course openssl works on OSs that don't have a /dev/urandom at all - e.g. on Win32 it calls Win32 crypto function to get a seed and then uses that for its own PRNG.

      Basically the openssl guys don't seem to trust /dev/urandom to be random. E.g. the stack exchange source says

      You do not want to trust that the random source is random. /dev/urandom in particular is not trustworthy because in guaranteeing that it wiill not block on low-entropy conditions, it fails to guarantee that the output is actually random. The manpage man 4 urandom has more information on this, including a cryptic allusion to an attack some government body may or may not have predicated on this condition. Suitability tests can be conducted on this data, or it can be mutated in some way to concentrate entropy, or different sources can be combined.

      Which I think is a reference to this

      https://linux.die.net/man/4/ur...

      A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current unclassified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.

      And essentially running the output of openssl rand through sha512 a couple of times does a bit more munging. And running it through sha512 a random number of times and then encrypting with a per device RSA private key does even more munging.

      As with most things in life you have to decide what level of munging you feel comfortable with and code to that level. Personally I use the maximum level, though of course it's debatable whether this is overkill or not.

      It may well be that just reading from /dev/urandom on your OS is good enough.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re: Passwords by AC-x · · Score: 1

      I said /dev/random, not /dev/urandom :P /dev/random is supposed to be cryptographically secure on its own, and as you're only generating occasional passwords with it there shouldn't be any problem of exhausting the entropy pool.

    4. Re: Passwords by Hal_Porter · · Score: 1

      Well I want the script to run on macOS, Windows Cygwin and Linux. I dunno if I trust either /dev/random or /dev/urandom on all of those. And openssl and bash are installed on all of them. I trust the openssl guys more than I trust the OS vendors not to have some backdoor or a cryptographically crippled /dev/[u]random.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    5. Re: Passwords by AC-x · · Score: 1

      Sure, but generally it's better to use an existing cryptographically secure system then trying to roll your own, as there's always the possibility of making a mistake and making the previously secure random less secure.

      Also OpenSSL doesn't exactly have a perfect security record!