While Tumblr admitted that it had only recently discovered a 2013 data breach affecting a particular “set” of users’ credentials, it did not reveal the number of users affected. That secret is now out.
A total of 65 million Tumblr users have been affected with their passwords and emails stolen, as credentials, from a 2013 data breach.
The details of the breach were the result of an independent analysis. The data, ascertained and delved into by independent security researcher Troy Hunt who runs the hacked credentials portal Have I Been Pwned.
The researcher told Motherboard that the data he combed through contained 65,469,298 unique emails and passwords. Notably, the passwords were hashed to begin with, rather than existing in plain text. More specifically, Tumblr had employed salted hashes – a series of random bytes at the end of every password before hashing them, a measure of additional security protection.
Related read: 117 Million LinkedIn User Credentials up for Sale
The hacked data has been put up for sale on darknet marketplace The Real Deal. One hacker, known as Peace, claimed Tumblr used SHA1 to hash the passwords. It is because of the enhanced security protocols used by Tumblr that the hacker could only hawk the entire database for only $150. Essentially, the dump is one large list of emails, with the passwords proving to be substantially hard to crack.
Still, Hunt added that the age of the breach and the redundant security practices used at the time means that at least half of the passwords could be cracked.
The Tumblr data breach is now the third largest ever to be listed on Have I Been Pwned. The LinkedIn hack of 164 million accounts and the infamous Adobe breach of 152 million accounts come first and second.
Speaking about the ever increasing reveals of data breaches that affects hundreds of millions of customers, each, Troy wrote in a blog post:
If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?
And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ [breach] category that are simply sitting there in the clutches of various unknown parties?“
Image credit: Flickr.