An independent analysis shows that more than 65 million Tumblr users had their e-mail addresses and passwords exposed in a 2013 data breach. Originally, the company declined to provide a number by saying that “a set of users” had been affected.
Troy Hunt, a cyber security specialist who manages the Have I Been Pwned website, said he is in the possession of a copy of the dataset leaked in the breach. After analyzing the data, Hunt found that 65,469,298 accounts were exposed in the hack.
Tumblr acknowledged the data leak on May 12 when it said that it had just found about it. Fortunately, the passwords were “hashed,” or encrypted through a process that turns plaintext into a random set of digits. For security reasons, the site’s security experts added a set of random bytes to each password, a procedure also known as “salting.”
Since mid-May, the leaked data has been traveling on the Internet’s black markets. One of the hackers who probably was involved in the breach wrote on a hackers forum that the company used “SHA1” to encrypt the passwords. But because passwords were also salted it would be incredibly hard for thieves to crack.
An anonymous user who sold the database on a darknet marketplace said he was able to get only $150 because all passwords were encrypted and the only data of interest in the dataset were the e-mail addresses.
But Hunt believes that since 2013 hackers could have cracked at least half of the passwords. Hunt’s website described the Tumblr data breach as the fourth largest in the history of the Internet.
The largest ever may be the MySpace data breach which compromised about 360 million accounts and passwords. Next in line are LinkedIn with 164 million and Adobe with 152 million.
In the last two weeks, LinkedIn and MySpace unveiled their own years-old security breaches. The phenomenon could be a lesson to the Internet users who still believe that their site is bulletproof.
Hunt explained that there may be more hacks that take years to discover. In the meantime, the leaked data freely flows on the Internet, hidden from the eyes of the public.
If you aren’t sure whether your Tumblr account was compromised you could check the I Have Been Pwned portal. But all affected users have been already forced by the company to change their old passwords shortly after it had learned about the hack.
Image Source: YouTube