Six years after the original incident, the cracked password trove from Imgur's 2013 breach has resurfaced on BreachForums in plaintext form. The file pairs roughly 1.75 million email addresses with the recovered passwords for those accounts.
Imgur disclosed the breach in November 2017 after Have I Been Pwned founder Troy Hunt notified the company that the dump was circulating. At the time Imgur said the stolen passwords had been hashed with SHA-256, an algorithm that was reasonable for its era but trivially crackable today on consumer GPU rigs. The current dump is the proof of that math: somebody finished the job and is now distributing the cleartext.
For Imgur users who reused that password elsewhere, the practical consequence is the usual one. Anywhere that pair (the same email, the same password) still works is exposed. Credential stuffing tooling will be working through the list within hours of any new dump like this surfacing on a high-traffic forum.
What's in the file
The shape is the simplest possible: email:password, one record per line. No SMS numbers, no addresses, no payment data. Just credential pairs from a service that was, in 2013, a default attachment for anyone sharing screenshots from Reddit, Twitter, or chat clients. The userbase skewed young and casual, which means the same password is likely to show up at gaming services, indie forums, and personal email accounts that were spun up around the same time.
Imgur required a password reset for affected accounts at disclosure. Anyone who set a new password in late 2017 and hasn't changed it since is fine on Imgur itself. The risk is the long tail of accounts elsewhere that were never rotated.
If you want to check
The dataset is searchable here. Querying by email returns the indexed credential record if your address is in the file. We mask the password value for unauthenticated visitors, so the result confirms exposure without giving credentials to a casual passer-by. Logged-in accounts and unrestricted API keys can pull the cleartext.