Several weeks ago, Tumblr users went nuts hearing that the company had been the target of a data breach that resulted in the exposure of millions of user email addresses and hashed passwords.
Back then, Tumbler refused to reveal how many accounts were affected, but the data that was stolen was recently put up for sale and the number is truly devastating: 65 million records.
Someone is selling the data on TheRealDeal, a Tor dark market website, by a user named peace_of_mind. The same user had previously sold a whopping 167 million user records illegally obtained from LinkedIn.
Something’s fishy about peace_of_mind, because the user has recently also posted offers for 40 million accounts from adult dating website Fling.com, in addition to the 360 million allegedly stolen from MySpace.
According to Tumblr’s security announcement on May 12, the attackers stole user email addresses with hashed and salted passwords from early 2013, in the pre-Yahoo era of the company.
A copy of the data was obtained by Troy Hunt, a security researcher, and he uploaded it to Have I been pwned?, a website that he administers. The purpose of his site is for users to be able to check if they were affected by known data breaches.
For those unfamiliar with the term, hashing is “a one-way operation that generates unique, verifiable cryptographic representations of a string called hashes.”
Hashes are used for validating and storing passwords in databases because a cyberattack wouldn’t allow the attackers to crack them and turn them back into useful passwords.
However, malicious individuals have already figured out some cracking techniques that allow them to override old hashing algorithms like MD5 and SHA1.
This is what happened in the recent LinkedIn breach, where the password hashes were created with vanilla SHA1, allowing researchers to convert over 80 percent of them.
Tumblr’s case is a bit more fortunate as the hashes are also “salted,” a term referring to a random bit of text that was added to the passwords before they were hashed. This makes cracking much less feasible, assuming that the salts themselves are not compromised.
Even so, Tumblr users should go ahead and change their passwords as soon as possible. If they want to make sure their accounts are safe, they can check the HaveIBeenPwned.com database by searching for their email address.
Image Source: Tumblr