Imgur has apparently been hacked in 2014 and this has come to light only a few days back. 1.7 million emails and passwords have been leaked – passwords encrypted with SHA256. (Imgur has been using bcrypt since 2016, though)
From the article:
Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.
Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.
One of the key requirements in GDPR is that websites collect only the minimum personal data necessary to perform its operations. It will be very hard to keep the user stores from being pwned, but having the least possible amount of data in them definitely helps lessen the damage.