Imagine my surprise the moment I found out that over 65 million email addresses and passwords from Tumblr had been breached from Tumblr’s system. On May 12th, Tumblr, the microblogging platform known also as the watering hole for sleepless hipsters and fandom cults, revealed that they had only just discovered a data breach which occurred since February 2013. While Tumblr had not revealed the extent of users affected, in an independent analysis, security researcher Troy Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords after he recently obtained a copy of the stolen data set.
Troy Hunt is the man behind the data breach awareness portal ‘Have I Been Pwned’, an online service where users can search an extensive database of details from public breaches to check if their details have been exposed.
Troy Hunt stated that he had received the data dump containing the millions of emails and passwords, which the anonymous donor claimed belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin (as of today around USD$226).
Source: Troy Hunt
Peace appears to be the very same hacker who has been putting data up for sale from various other breaches such as the recent LinkedIn and MySpace breaches, as well as data dumps from other online services such as Fling.com and the Linux Mint forum.
Thankfully, the passwords in the data leak were not in plain text, but appears to be hashed and salted, which means they would be more secure as compared to the state in which the leaked passwords from the recent LinkedIn and MySpace data breaches were stored on those sites. While in the LinkedIn and MySpace cases, users’ data were only hashed using SHA1, which led to the team from LeakedSource being able to successfully crack most of the passwords from the leak. Tumblr had also used the SHA1 method to hash their passwords although on top of Tumblr hashing their passwords, they had added an extra level of ‘salt’, which makes it hard for hackers to go through the passwords and crack them. The algorithm used in hashing the passwords however has not been revealed by the company.
Peace told Motherboard that due to the nature in which Tumblr had stored passwords and securitised the users’ data, it made it made it hard to crack them, and thus the data is “essentially just a list of emails” and “he was only able to sell it for $150.”
Hashing is using a cryptographic algorithm to convert data like a password into a fixed length string of characters called a fingerprint.
Salting in cryptography is a way to randomize hashes by adding a random string (which is called a salt) before a password is hashed, which makes it much more difficult to crack the password hash.
Albeit according to Tumblr’s May 12th statement that their “Analysis gives us no reason to believe that this information was used to access Tumblr accounts”, and states that since the data breach originated from 2013, those believed to be affected by the breach would only be the users prior to that period and before the acquisition of Tumblr by Yahoo, although they were starting a password reset process for the users they thought to be affected.
Unconvinced by the said assurance as I personally have been using Tumblr since 2009, I attempted to log-in to my Tumblr account only to be greeted by this note:
Dreadingly, I entered my email address onto the ‘Have I Been Pwned’ portal to check if I had indeed been pwned.
Of course if the alarming red notice on HIBP’s site was not enough to have me subscribe to the notification service, I’m not sure what would.
The ‘Have I Been Pwned’ portal is one nifty database anyone can use in order to check for pwned emails, and subscribe to receive free notifications if your email has been compromised in future data breaches.
Verify your email on HIBP to receive future breach notifications.
Although the data from the Tumblr breach has been lying dormant from a hack which occurred years ago, it has quickly jumped to the fourth largest hack ever, after the hack of 359 million MySpace accounts, 164 million LinkedIn accounts and the breach of 152 million Adobe accounts.
Source: Have I Been Pwned
It is interesting to see how many of these massive top breaches such as the MySpace and LinkedIn ones as well are only emerging lately, considering the data breaches had occurred years ago. It goes without saying that sometimes we are not able to discover them for long periods of time and anyone could be susceptible to a hack even if we are not aware of it yet.
As Troy Hunt states:
“If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?… How many more are there in the ‘mega’ [breach] category that are simply sitting there in the clutches of various unknown parties?”
 Have I Been Pwned
 Computer World