Uh-oh
Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals
Written by
Staff Writer
May 30, 2016 // 04:00 AM EST
On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected.
As it turns out, that number is 65 million, according to an independent analysis of the data.
Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set.
Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. (Tumblr did not immediately respond to a request to confirm the figure).
The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords.
Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack.
That’s why, Peace told me, the data was essentially just a list of emails, and he was only able to sell it for $150.
In any case, considering the age of the breach and the bad practices that were used at the time across websites, it’s fair to assume half of the passwords could be cracked, according to Hunt.
This data breach is now listed on Have I Been Pwned as the third largest ever, after the hack of 164 million LinkedIn accounts and the breach of 152 million Adobe accounts. You can check there to find out if you were a victim, though you should’ve been notified by Tumblr when the company forced users to reset passwords after announcing the breach….
This Kid Is Some Kind Of Genius
This Kid Is Some Kind Of Encapsulation Of Our Dystopian Present