May 31, 2016 by

65 Million Email Credentials Stolen from Tumblr Breach

While Tumblr admitted that it had only recently discovered a 2013 data breach affecting a particular “set” of users’ credentials, it did not reveal the number of users affected. That secret is now out.

A total of 65 million Tumblr users have been affected with their passwords and emails stolen, as credentials, from a 2013 data breach.

The details of the breach were the result of an independent analysis. The data, ascertained and delved into by independent security researcher Troy Hunt who runs the hacked credentials portal Have I Been Pwned.

The researcher told Motherboard that the data he combed through contained 65,469,298 unique emails and passwords. Notably, the passwords were hashed to begin with, rather than existing in plain text. More specifically, Tumblr had employed salted hashes – a series of random bytes at the end of every password before hashing them, a measure of additional security protection.

Related read: 117 Million LinkedIn User Credentials up for Sale

The hacked data has been put up for sale on darknet marketplace The Real Deal. One hacker, known as Peace, claimed Tumblr used SHA1 to hash the passwords. It is because of the enhanced security protocols used by Tumblr that the hacker could only hawk the entire database for only $150. Essentially, the dump is one large list of emails, with the passwords proving to be substantially hard to crack.

Still, Hunt added that the age of the breach and the redundant security practices used at the time means that at least half of the passwords could be cracked.

The Tumblr data breach is now the third largest ever to be listed on Have I Been Pwned. The LinkedIn hack of 164 million accounts and the infamous Adobe breach of 152 million accounts come first and second.

Speaking about the ever increasing reveals of data breaches that affects hundreds of millions of customers, each, Troy wrote in a blog post:

If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?

And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ [breach] category that are simply sitting there in the clutches of various unknown parties?“

Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Hackers Steal Compromising Photos from High-Profile Plastic Surgeon

Hackers have broken into a high-profile plastic surgeon in London to steal a cache of sensitive...

Read more arrow_forward

Pizza Hut Suffers Customer Card Breach, Discloses Hack 2 Weeks Later

Pizza chain Pizaa Hut was hacked on October 1st and October 2nd this month with hackers stealing...

Read more arrow_forward