The image-sharing site, We Heart It, just announced a security breach dating back to late 2013. Let’s take a look at the details and lessons learned.

We Heart It Breach Details

We Heart It is an image-sharing site used by millions of teens. In 2015, user numbers were as high as 40 million.

The data breach just announced included email addresses, usernames, and encrypted passwords of over 8 million accounts created between 2008 and November 2013.

We Heart It sent emails to affected users, and shared the following information on their support website:

  • We Heart It has, to date, found no evidence of unauthorized logins or wrongdoing. They state, however, that the encryption algorithms commonly used to encrypt passwords in 2013 are no longer secure due to advancements in computer hardware.
  • They recommend users change their We Heart It password if it has not been updated since 2013.
  • We Heart It says they have made significant upgrades and improvements to systems, security protocols, password security, and database since 2013. They’ve also added additional encryption using the secure bcrypt algorithm, and are updating all user passwords with this additional encryption.

Good and Bad in the Incident Response

We Heart It were prompt in notifying both affected users and the public. Like the recent Disqus data breach, this breach was discovered by Troy Hunt who runs the Have I Been Pwned? website. Hunt notified We Heart It of the breach of their data on October 11. We Heart It notified affected users and shared information publicly by October 13.

Unfortunately, the company didn’t proactively reset users’ passwords on their behalf, as many companies do following a security breach involving account information.

Lessons Learned and Recommendations

The We Heart It breach raises some recommendations for both account users and vendors.

Perform a regular account review

The We Heart It app is not quite as popular as it once was. In 2015, the app was ranked in between the 40’s through 60’s in the Top Social Networking apps list on the U.S. App Store. Today, it’s ranked #85, according to App Annie.

Old apps can come back to haunt you. You should periodically review accounts and apps to identify and purge those you are no longer using. You can review the site’s Privacy Policy or support information to learn how you can delete accounts and what happens when you delete an account. For example, We Heart It provides this information regarding deleting accounts:

When you delete an account, all the account information is deleted from our servers, so none of the information will appear on our site anymore, like name, bio, location.  But since We Heart It is a place to share images you found online (not personal images), any images posted by this user will remain on the site (without the user’s name), since other users may heart it as well from the same source.”

So, users may want to remove any images they’d like to get rid of before deleting the account.

For details on how – and, in some cases, if – you can delete your accounts from popular sites, services like Just Delete Me provide helpful information.

Use unique passwords for each account

As with many similar breaches, We Heart It is advising users to change their passwords on other sites if those sites reused the We Heart It password. Remember: each account you have should have a unique password. Password managers can help remove the headache of managing unique passwords.

Implement ongoing monitoring to protect against breaches

While We Heart It responded promptly once notified of the breach, it took several years for them to be aware of the breach. Online monitoring software helps organizations by actively listening for file transfers, privileged user activity, and website and application use that may signal suspicious activity.