May 31, 2016 by

65 Million Email Credentials Stolen from Tumblr Breach

While Tumblr admitted that it had only recently discovered a 2013 data breach affecting a particular “set” of users’ credentials, it did not reveal the number of users affected. That secret is now out.

A total of 65 million Tumblr users have been affected with their passwords and emails stolen, as credentials, from a 2013 data breach.

The details of the breach were the result of an independent analysis. The data, ascertained and delved into by independent security researcher Troy Hunt who runs the hacked credentials portal Have I Been Pwned.

The researcher told Motherboard that the data he combed through contained 65,469,298 unique emails and passwords. Notably, the passwords were hashed to begin with, rather than existing in plain text. More specifically, Tumblr had employed salted hashes – a series of random bytes at the end of every password before hashing them, a measure of additional security protection.

Related read: 117 Million LinkedIn User Credentials up for Sale

The hacked data has been put up for sale on darknet marketplace The Real Deal. One hacker, known as Peace, claimed Tumblr used SHA1 to hash the passwords. It is because of the enhanced security protocols used by Tumblr that the hacker could only hawk the entire database for only $150. Essentially, the dump is one large list of emails, with the passwords proving to be substantially hard to crack.

Still, Hunt added that the age of the breach and the redundant security practices used at the time means that at least half of the passwords could be cracked.

The Tumblr data breach is now the third largest ever to be listed on Have I Been Pwned. The LinkedIn hack of 164 million accounts and the infamous Adobe breach of 152 million accounts come first and second.

Speaking about the ever increasing reveals of data breaches that affects hundreds of millions of customers, each, Troy wrote in a blog post:

If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?

And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ [breach] category that are simply sitting there in the clutches of various unknown parties?“

Image credit: Flickr.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Expedia’s Orbitz: 880,000 Payment Cards Struck by Data Breach

Orbitz, a subsidiary of online travel giant Expedia has revealed a data breach wherein hackers may...

Read more arrow_forward

Data Breach: Florida Warns of 30,000 Medical Records Leak Due to Phishing

Florida’s health agency has warned of a data breach that may have exposed the data of up to 30,000...

Read more arrow_forward

India’s National ID Database of 1.2 Billion People Breached for $8

An Indian news publication has reported that the government’s biggest citizen database, a register...

Read more arrow_forward