The data breach has only recently come to light after being discovered by security researcher Troy Hunt.
Mr Hunt said he was impressed with the company’s swift response.
Imgur said in a statement that no other personal data had been taken as it did not collect information such as real names and phone numbers.
“We apologise that this breach occurred and the inconvenience it has caused you,” wrote Roy Sehgal, Imgur’s chief operating officer, in a blog post.
Mr Sehgal said Imgur was “still investigating” but its former encryption method – a hashing algorithm – may have been “cracked with brute force”.
That algorithm had been replaced in 2016, he added.
“We recommend that you use a different combination of email and password for every site and application,” he wrote.
“Please always use strong passwords and update them frequently.”
Troy Hunt tweeted that Imgur had released a statement 25 hours after he had contacted the company.
“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one but on how they’ve handled it when it’s happened,” he wrote.
This month it was revealed that ride-hailing app Uber had concealed a 2016 data breach affecting 57 million users and drivers.
It also admitted to paying the hackers $100,000 (£75,000) to delete the stolen data.
“None of this should have happened,” said chief executive Dara Khosrowshahi.