Hackers Stole 65 Million Tumblr Email Addresses and Passwords

June 1, 2016 12:56 pm David Bisson

Hackers made off with the email addresses and passwords belonging to 65 million users of the microblogging platform and social networking website Tumblr.

Earlier in May, Tumblr revealed it had just discovered a data breach that occurred back in 2013. Per a statement released by Yahoo, which now owns the social media site:

“We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.”

At the time of disclosure, Tumblr did not reveal which process it used to “hash” the passwords, or alter each password into a different string. The site also did not disclose how many users were affected by the breach.

Since then, security researcher Troy Hunt obtained a copy of the stolen data and told Motherboard that attackers stole 65,469,298 unique accounts.

A hacker known as “Peace,” the same individual who recently put up a database of 167 million LinkedIn accounts for sale on the dark web, claims to have access to the data, as well. He said Tumblr used SHA-1 to hash the passwords, a process which makes the passwords almost impossible to break. For that reason, Peace is offering only the email addresses for sale on the dark web at US$150.

News of this breach follows on the heels of the LinkedIn and MySpace hacks, both of which are also believed to have occurred years in the past.

Hunt is intrigued by the fact that all of this exposed data has been lying dormant for so long, as he explains in a blog post on his website:

“If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”

Tumblr users can check Hunt’s Have I Been Pwned website to see if their information was compromised in the 2013 breach. If it was, they should follow security expert Graham Cluley’s advice and be on the lookout for malware and phishing attacks.