Imgur Confirms Email Addresses, Passwords Stolen In 2014 Hack (zdnet.com)

← Back to Stories (view on slashdot.org)

Imgur Confirms Email Addresses, Passwords Stolen In 2014 Hack (zdnet.com)

Posted by BeauHD on Saturday November 25, 2017 @01:00AM from the here-we-go-again dept.

An anonymous reader quotes a report from ZDNet: Imgur, one of the world's most visited websites, has confirmed a hack dating back to 2014. The company confirmed to ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers. Imgur said the breach didn't include personal information because the site has "never asked" for real names, addresses, or phone numbers. The stolen accounts represent a fraction of Imgur's 150 million monthly users. The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned. Hunt informed the company on Thursday, a US national holiday observing Thanksgiving, when most businesses are closed. A day later, the company started resetting the passwords of affected accounts, and published a public disclosure alerting users of the breach.

14 of 38 comments (clear)

Min score:

Reason:

Sort:

who uses imgur with login? by Speare · 2017-11-25 01:35 · Score: 1

I don't use imgur in any sort of commentary capacity. You don't need to log in to post images, and that's the key draw, or so I thought. To me it's simply an anonymous pastebin for images. I'm actually amazed anyone has given imgur their email address to begin with.

--
[ .sig file not found ]
1. Re:who uses imgur with login? by Mashiki · 2017-11-25 02:04 · Score: 3, Informative
  
  Imgur has a huge community of basically viral ad marketers, and rampant narcissism. It's basically the equivalent of neogaf in terms of commentary quality.
  
  --
  Om, nomnomnom...
2. Re:who uses imgur with login? by fazig · 2017-11-25 02:52 · Score: 1
  
  It's a hive mind with herd and mob mentality when it comes to the comment section. But I have to admit that it is not too far from what slashdot is nowadays, when I see strawman fallacies, false dichotomies, and whataboutism getting modded insightful.
3. Re:who uses imgur with login? by Bloxclay · 2017-11-25 02:58 · Score: 1
  
  funny btw that they should mention have I been pwned some one at the collage introduced me to that site about 3-4 months ago along with one of those websites sadly I can't remember the name of where you input a website url and it checks if it has been compromised or if it is safe;.
  
  --
  Switch it Off,Switch it On[SOSO] Solves 95% of all IT problems!
4. Re:who uses imgur with login? by JustAnotherOldGuy · 2017-11-25 05:30 · Score: 1
  
  It's a hive mind with herd and mob mentality when it comes to the comment section.
  Can confirm.
  If you voice an opinion that falls even slightly outside the groupthink of the Imgur community, you'll be innundated with downvotes, hate mail, and comments telling you to die. They have NO tolerance for anyone that doesn't hew to the Imgur party line, no matter how innocuous, true, or fair your comment is.
  It's also been infested with astroturf accounts selling/promoting shit, and this is WITH the full knowledge and cooperation of the admins there (because they get a cut of the profits, of course). Imgur staff admitted it, and there were endless angry discussions about the fake accounts.
  So yeah, it's pretty much a shitshow now, worse than ever before.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
wow by AndyKron · 2017-11-25 02:36 · Score: 2

They didn't even know it happened.
1. Re:wow by ShanghaiBill · 2017-11-25 02:44 · Score: 1
  
  They didn't even know it happened.
  That should not surprise you. Most intrusions and data thefts are not detected. Some estimates are that for every breach you hear about, there are ten that you don't.
Passwords by Hal_Porter · 2017-11-25 10:09 · Score: 1

It doesn't matter if your password is stolen if you only use it for one site.
I ended up doing something like this. Put it in ~/.bash_profile

function randpass { openssl rand 4096 | openssl dgst -binary -sha512 | openssl dgst -binary -sha512 | openssl base64 | tr -d "/=+\n" | head -c ${1:-32} }

I.e. get 4096 bytes of random data from openssl. Hash it to sha512 a couple of times to shuffle the bits. Then encode to base64. Remove any characters that might cause problems leaving [A-Za-z0-9] which most sites allow. Then pick the first n chars (where n defaults to 32 and is passed as an argument)
E.g.

randpass

To get the default 32 char password or you can override that on the command line if you know the maximum password the site supports. E.g

randpass 64

Gives a 64 char password
I store 'em in a text file in a small TrueCrypt volume as a backup and sync that across devices. For things like imgur.com I let the browser remember them because there's nothing too critical about the account. The passwords has 62^32 combinations which is hard to brute force and even if someone did brute force it, who cares? All they'll learn is that my password to other sites needs another 62^32/2 tries to brute force which is probably not worth their time.
And if you know the site allows longer passwords, just tell randpass on the command line. E.g

randpass 64

Actually once I got this to work I invented a more elaborate version that encrypted with a per device private RSA key, randomized the number of sha512 hashing stages and so on. But that only matters if you think an attacker can work out what openssl rand returned on your device, which they probably can't.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
1. Re:Passwords by AC-x · 2017-11-26 00:54 · Score: 1
  
  Actually once I got this to work I invented a more elaborate version that encrypted with a per device private RSA key, randomized the number of sha512 hashing stages and so on. But that only matters if you think an attacker can work out what openssl rand returned on your device, which they probably can't.
  Why not just read cryptographically secure random bytes from /dev/random ?
2. Re:Passwords by Hal_Porter · 2017-11-26 04:46 · Score: 1
  
  openssl rand n does use /dev/urandom on a Unix like OS, but it doesn't just directly read n bytes from it, it does a bit of munging, like reading a few bytes at startup and using that as a seed for its own PRNG.
  https://security.stackexchange...
  And of course openssl works on OSs that don't have a /dev/urandom at all - e.g. on Win32 it calls Win32 crypto function to get a seed and then uses that for its own PRNG.
  Basically the openssl guys don't seem to trust /dev/urandom to be random. E.g. the stack exchange source says
  
  You do not want to trust that the random source is random. /dev/urandom in particular is not trustworthy because in guaranteeing that it wiill not block on low-entropy conditions, it fails to guarantee that the output is actually random. The manpage man 4 urandom has more information on this, including a cryptic allusion to an attack some government body may or may not have predicated on this condition. Suitability tests can be conducted on this data, or it can be mutated in some way to concentrate entropy, or different sources can be combined.
  Which I think is a reference to this
  https://linux.die.net/man/4/ur...
  
  A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current unclassified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.
  And essentially running the output of openssl rand through sha512 a couple of times does a bit more munging. And running it through sha512 a random number of times and then encrypting with a per device RSA private key does even more munging.
  As with most things in life you have to decide what level of munging you feel comfortable with and code to that level. Personally I use the maximum level, though of course it's debatable whether this is overkill or not.
  It may well be that just reading from /dev/urandom on your OS is good enough.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
3. Re: Passwords by AC-x · 2017-11-26 05:17 · Score: 1
  
  I said /dev/random, not /dev/urandom :P /dev/random is supposed to be cryptographically secure on its own, and as you're only generating occasional passwords with it there shouldn't be any problem of exhausting the entropy pool.
4. Re: Passwords by Hal_Porter · 2017-11-26 05:36 · Score: 1
  
  Well I want the script to run on macOS, Windows Cygwin and Linux. I dunno if I trust either /dev/random or /dev/urandom on all of those. And openssl and bash are installed on all of them. I trust the openssl guys more than I trust the OS vendors not to have some backdoor or a cryptographically crippled /dev/[u]random.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
5. Re: Passwords by AC-x · 2017-11-26 05:51 · Score: 1
  
  Sure, but generally it's better to use an existing cryptographically secure system then trying to roll your own, as there's always the possibility of making a mistake and making the previously secure random less secure.
  Also OpenSSL doesn't exactly have a perfect security record!
Re:Scrambled with SHA-256? by AC-x · 2017-11-26 01:02 · Score: 1

if they think that you use SHA-256 to __scramble__ data, then obviously they know jack shit about security
Those are the words of ZDNet, not Imgur.
Imgur said the passwords were encrypted with SHA-256, which of course is even worse! Probably didn't use a salt either...