Back in November, the viral image site Imgur disclosed long overdue information about a hack that took place in 2014. The security breach resulted in hackers making off with 1.7 million email addresses and passwords. Now, according to ID Agent, a company that combines human and sophisticated intelligence to monitor cybercriminal activity, this information has found its way onto the dark web.
The dark web, of course, refers to the collection of websites that exist on an encrypted network and cannot be accessed by search engines or visited by using traditional browsers. Websites found on the dark web are typically promoting some sort of nefarious activity like selling stolen web credentials, illegal drugs or worse.
Yesterday, ID Agent sent out an email to their partners disclosing information about a large set of valid compromised credentials that were added to the dark web ID data store, noting that this could cause heightened conditions for cybercrime. Most of the personal information appears to be from the Imgur hack.
Here’s what you need to know.
While Imgur was hacked in 2014, the company states that they didn’t know about it until November 23rd, 2017, when they were contacted by Troy Hunt. Hunt is a security researcher who runs the data breach notification service website, haveibeenpwned. The website stores leaked data from every major hack so that victims can search their email and find out if their accounts have been compromised.
Hunt was sent the stolen credentials from the Imgur hack to add to his compromised information database — 60% of which were already in the database, previously stolen from other major hacks.
Imgur has yet to say how exactly they were hacked, though it’s important to note that personal information stolen in the hack is contained to email and passwords. Imgur made this clear in their blog post disclosing the hack, stating that they’ve, “never asked for real names, addresses, phone numbers, or other personally-identifying information (“PII”), so the information that was compromised did NOT include such PII.”
What You Need to Do
If you have an Imgur account and you didn’t update your credentials back in November, you need to do that ASAP. If you use the same login information for other online accounts, it’s important that you update those, too.
Most importantly, go to haveibeenpwned and type in your email address. The website will notify you if any of your logins have been compromised by the Imgur hack or any other major security breach. With all the major hacks that have taken place over the past few years, your email will likely be linked to one of them. If it is, your next step should be to change all your passwords, especially if you reuse the same ones often.
As we’ve previously suggested, the easiest way to protect your online accounts without needing to remember 50 different passwords is a password manager. In this blog post, we discussed how these great tools allow you to manage all this information within a single, encrypted application. By using a password manager, you can make every login credential different (and complicated) without having to remember them all. Some more advanced password managers can also manage login procedures like multi-factor authentication and multi-page fill-ins.
We’re reaching a point where it’s almost essential you use a password manager to ensure security of your information. Many have a subscription, but there are also free options as well — here’s a list of 9 free options you can try. We recommend researching them to see how well they fit your needs before you commit all your passwords to one.
Remember, once your information is on the dark web, there’s no telling who can get access to it. Now’s the time to make sure that cybercriminals aren’t poking around in your private data. Take charge of your online privacy before it’s too late.
Written by Nik Vargas