The Tumblr data breach that was announced just over two weeks ago involved the theft of users’ email addresses and passwords. While it was initially unclear how many users were affected, further information has now come to light on the breach.
The data from the 2013 Tumblr cyberattack have recently been acquired by HaveIBeenPwned, which has confirmed that the unique usernames and passwords of 65,469,298 individuals are present in the data.
That makes this the fourth largest data breach that has been reported to the site, behind the 117 million-record breach at LinkedIn, the 152 million-record breach at Adobe Systems Inc, and the 427 million record-breach at MySpace.
While the usernames were stored as plaintext, the passwords were encrypted using the SHA-1 algorithm. Each password was also salted making it harder for hackers to crack the passwords.
The data file was recently listed for sale on the hacking marketplace TheRealDeal by a hacker operating under the name “Peace_of_Mind”. The data were being offered for sale for 0.4255 Bitcoin – Approximately $225 at today’s exchange rates. Peace_of_Mind has also recently listed other large datasets for sale on the site, including the stolen credentials from the LinkedIn, MySpace, and Fling data breaches.
The Tumblr data breach was investigated promptly. According to a post on the Tumblr website, the data do not appear to have been used to gain access to users’ accounts. That does not mean that users are safe. It is possible that the passwords could be cracked, so all users have been advised to change their passwords and also change passwords on other websites if their Tumblr password has been reused.
While the data from a number of these large-scale data breaches have been listed for sale by the same individual, it is currently unclear who actually hacked these organizations. It is also unclear why it has taken so long for the data to be offered for sale.