Tumblr’s massive security breach has consequences

May 31, 2016 |

The consequences of a data breach can sometimes take an age to resolve.  The ongoing reputational damage can be excrutiating.  As Tumblr is discovering.  In 2013 there was a security breach into the Zendesk styem which resulted in data breaches into three of their clients; Twitter, Pinterest and Tumblr. This was reported by Wired in  Zendesk Security Breach Affects Twitter, Tumblr and Pinterest.

Tumbler has just notified its users that they need to change their passwords because of that breach of 3 years ago.  They stated:

We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.

This has been reported in Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected.

As it turns out, that number is 65 million, according to an independent analysis of the data.

Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set.

Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. (Tumblr did not immediately respond to a request to confirm the figure).

The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords.

Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack.

A screenshot of the listing for the sale of the Tumblr data breach on the dark web illegal marketplace The Real Deal.

That’s why, Peace told me, the data was essentially just a list of emails, and he was only able to sell it for $150.

In any case, considering the age of the breach and the bad practices that were used at the time across websites, it’s fair to assume half of the passwords could be cracked, according to Hunt.

This data breach is now listed on Have I Been Pwned as the third largest ever, after the hack of 164 million LinkedIn accounts and the breach of 152 million Adobe accounts. You can check there to find out if you were a victim, though you should’ve been notified by Tumblr when the company forced users to reset passwords after announcing the breach.

What’s interesting about this incident is that it’s come along with other massive data breaches that were just recently disclosed, but date back a few years.

“This data is lying dormant (or at least out of public sight) for long periods of time,” Hunt wrote in a blog post on Monday.

Since Tumblr’s data was discovered, years-old breaches at LinkedIn and MySpace have also emerged in the last couple of weeks. Whether there will be more, it’s anyone’s guess. But as we’re slowly learning, everyone gets hacked, though sometimes we don’t find out for years.

“If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?” Hunt wrote. “And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ [breach] category that are simply sitting there in the clutches of various unknown parties?“

All the more reason to have proper data security.

One Response to “Tumblr’s massive security breach has consequences”

  1. Tumblr’s massive security breach has consequences | Australian Law Blogs

    […] Tumblr’s massive security breach has consequences […]

Leave a Reply