Breach went unnoticed for three years.
The email addresses and scrambled passwords of 1.7 million accounts on popular image sharing site Imgur were stolen by attackers in 2014.
The company today revealed it had been notified of the three-year old breach on November 23 when security expert Troy Hunt alerted Imgur after being sent the stolen data.
Imgur said it was still actively investigating what had happened, but it has started resetting the passwords of affected accounts and has publicly and privately notified users of the incident.
Chief operating officer Roy Sehgal said the site had upgraded its security since the breach – moving from SHA-256 to the bcrypt password scrambler last year – but advised anyone who had used their Imgur email address and password combination on other sites to change those details.
“We take protection of your information very seriously and will be conducting an internal security review of our system and processes,” Sehgal said.
“We apologise that this breach occurred and the inconvenience it has caused you.”
Imgur said the breach did not include any personal data; it does not require users to hand over their names, physical addresses or phone numbers.
The company has 150 million monthly users.
Hunt praised Imgur for its quick action in response to the breach notification.
“That’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!” Hunt said on Twitter.
“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one, but on how they’ve handled it when its happened.”