Quantcast
Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals

Two weeks after Tumblr disclosed a 2013 data breach, we finally know how big it was.

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting "a set" of users' email addresses and passwords, but the company refused to reveal how many users were affected.

As it turns out, that number is 65 million, according to an independent analysis of the data.

Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set.

Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. (Tumblr did not immediately respond to a request to confirm the figure).

The passwords, however, were not in plaintext, but were "hashed," a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or "salted" them, as Tumblr said when it disclosed the breach. The company, however, didn't say exactly what algorithm it used to hash the passwords.

Since Tumblr's announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack.

A screenshot of the listing for the sale of the Tumblr data breach on the dark web illegal marketplace The Real Deal.

That's why, Peace told me, the data was essentially just a list of emails, and he was only able to sell it for $150.

In any case, considering the age of the breach and the bad practices that were used at the time across websites, it's fair to assume half of the passwords could be cracked, according to Hunt.

This data breach is now listed on Have I Been Pwned as the third largest ever, after the hack of 164 million LinkedIn accounts and the breach of 152 million Adobe accounts. You can check there to find out if you were a victim, though you should've been notified by Tumblr when the company forced users to reset passwords after announcing the breach.

What's interesting about this incident is that it's come along with other massive data breaches that were just recently disclosed, but date back a few years.

"This data is lying dormant (or at least out of public sight) for long periods of time," Hunt wrote in a blog post on Monday.

Since Tumblr's data was discovered, years-old breaches at LinkedIn and MySpace have also emerged in the last couple of weeks. Whether there will be more, it's anyone's guess. But as we're slowly learning, everyone gets hacked, though sometimes we don't find out for years.

"If this indeed is a trend, where does it end? What more is in store that we haven't already seen?" Hunt wrote. "And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the 'mega' [breach] category that are simply sitting there in the clutches of various unknown parties?"

Correction: A previous version of this story and headline said the victims of the breach according to Hunt were 68 million, they were actually 65.