65 million hacked Tumblr user details go up for sale on dark web

News by Rene Millman

Tumbler waited three years to tell users about breach

Around 65 million Tumblr user accounts have been found up for sale on the dark web.

The firm has only recently acknowledged the breach, which took place in early 2013. The information hacked included email addresses and encrypted passwords.

"As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts,” said the firm in a blog post.

While Tumblr didn't say exactly when the attack happened, according to Troy Hunt, the man behind data breach website Have I been Pwnd?, the data was extracted on 28 February 2013.

"In early 2013, Tumblr suffered a data breach which resulted in the exposure of over 65 million accounts," the site said.

"The data was later put up for sale on a dark market website, and included email addresses and passwords stored as salted SHA1 hashes."

As the passwords have been salted and hashed, it would be virtually impossible to reconstruct them. However, Tumblr has still advised users to change passwords as a security precaution.

The Tumblr hack comes just as details of 360 million users of former social network behemoth MySpace had also hit the dark web. This one is more serious as the passwords here were stored in a modified form that was relatively easy to crack.

Hunt said that that several breaches that had recently come to light, including LinkedIn, MySpace and adult dating site Fling, made him question whether they were all in some way related.

"There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related," he said in a blog post

“And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the "mega" category that are simply sitting there in the clutches of various unknown parties?”

Jason Hart, CTO Data Protection at Gemalto, told SCMagazineUK.com that the Tumblr and Myspace attacks are worrying but shouldn't come as a surprise.

“We already know that passwords alone are not secure. Consumers need to demand, and businesses need to provide, additional security beyond the password such as multi-factor authentication,” he said.

Dave Worrall, CTO of Secure Cloudlink, told SC that passwords are simply no longer fit for purpose.

“Passwords have evolved into an untenable means of authentication due to the fundamental security vulnerabilities they present. This is exacerbated by the dramatic shift to mobile computing and the rising number of data breaches,” he said.

“Many companies have tried to reduce the inherent vulnerabilities of passwords by hashing them, or introducing biometric access options, which improve the user experience and add a lever of security for user-credentials, but it doesn't remove the use and transmission of user credentials and passwords behind the scenes.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews