Data set reveals 65m passwords were stolen in 2013 Tumblr hack

31 May 2016

New revelations surrounding the 2013 hack of Tumblr have revealed the true extent of the breach, with new data revealing that a total of 65m passwords were stolen.

The Tumblr hack was one of the biggest seen on a social media platform, but it is only now that the true scale of it is beginning to come to light.

Tumblr took to its blog to confirm that a breach did occur three years ago prior to its acquisition by Yahoo and that a set of email addresses was obtained during the hack.

Selling on the dark web

Security researcher Troy Hunt, along with his rather helpful web resource, Have I Been Pwned, has managed to obtain a seemingly legitimate data set that appears to show the true extent of the damage, which if accurate would rank it as the third-largest breach ever.

A total of 65,469,298 emails and passwords were obtained during the breach, with this set containing passwords that had been scrambled or ‘hashed’, which significantly changes the digits of the password.

Tumblr dark web

A screenshot of the Tumblr account details for sale on the dark web. Image via Troy Hunt

The hacked data obtained during the breach is now doing the rounds online and one particular hacker who goes by the name of ‘peace_of_mind’ is allegedly selling the data to anyone with the right amount of money on the dark web.

While this hashing method means the passwords are safe, anyone who wanted to buy the data set would still have access to people’s emails, which could still give hackers a way into accounts.

Interesting patterns emerging

Speaking on his blog, Hunt said the spate of data breaches revealed this month is unprecedented and fascinating from a security researcher perspective.

“There are some really interesting patterns emerging here,” he said.

“One is obviously the age; the newest breach of this recent spate is still more than three years old. This data has been lying dormant (or at least out of public sight) for long periods of time.”

The likely reason, he goes on to say, is the appearance of these mega breaches on the dark web marketplace at the same time.

Just recently, on 27 May, news came through of one seller on the dark web selling what they alleged to be 427m stolen passwords from the former social media powerhouse MySpace.

If true, this would make it the largest data theft ever, quadrupling the current record holder, which saw LinkedIn have 167m user details compromised following its own data breach.

Tumblr image via mrmohock/Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com