Image-sharing website Imgur is the latest to suffer a data breach. However, unlike the recent, very high-profile breach of Uber, this story has some positive aspects.

Imgur Breach: The Facts

Imgur confirmed that the emails and passwords of 1.7 million users were compromised in 2014. As is often the case, Troy Hunt of Have I Been Pwned? brought the breach to the attention of Imgur.

Imgur indicated that no other personal data was impacted and, while noting the investigation was ongoing, the culprit appeared to be a hashing algorithm that may have been “cracked with brute force”.

Via Twitter, Troy Hunt noted Imgur’s extremely quick response to the breach:

…25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure.

How Imgur Got Breach Response Right

Imgur did several things right in managing the breach aftermath:

  • Announce the breach. Imgur’s CEO posted prominently on the website’s blog to provide a full description of what happened.
  • Include the details. Imgur clearly stated what data was stolen, namely emails and passwords. Imgur made a point of reiterating that they don’t collect information such as real names and phone numbers.
  • Provide help and guidance. Imgur quickly acted to require users to reset their passwords, and they provided several recommendations on what users should do to increase their online security. This included advice to use strong passwords, and use a different combination of email and password for every site and application.

What Business Can Learn From the Imgur Response

Data breaches cost time and money, impact corporate reputation and brand, and erode customer trust. Today, it’s best to assume you will suffer a data breach. Focusing on breach detection and response will determine the overall impact to your business.

Monitor for threats. In the Imgar case, the breach actually occurred in 2014. Security event management and user activity monitoring software products can do much of the work of listening for threats and alerting on threats in order to prevent or mitigate breaches.

Limit the Amount of Data You Request – and Provide. Limit the amount of personally identifiable information (PII) you request and store to only what is needed. In Imgur’s case, they required only email and password. On the flip side, consumers should not provide more data than what is mandatory to use a service or site. When completing forms, limit data provided to those fields marked as ‘Required’.

Quick and full notice. At a minimum, promptly notify users and provide details on the data impacted. Not only is this the right thing to do, but most states require such reporting. Become familiar with the state and federal laws around security breach notification to minimize cost and impact to your business.

Provide help. If you can take action on behalf of your users after the breach – for instance, by changing passwords if needed – do so. Provide recommendations on ways that users can minimize negative impact as a result of the breach.

2017 Ponemon Cost of Data Breach Study: Analyzing the Research
Uber Data Breach: Paid Hackers to Hide Cyber Attack
Here’s a Roundup of Top 2017 Malicious Cyber Attacks, So Far
Biggest Cyber Attacks in History: The Top Incidents of All Time