Tumblr was the subject of a data breach back in 2013, before being acquired by Yahoo. The company only discovered the breach on May 12. At the time, the microblogging service claimed that only "a set" of users were affected; however, an analysis of the data shows this not to be accurate.
The data that was leaked included 65,469,298 emails and passwords. The passwords were hashed and salted, but Tumblr did not state the algorithm used in the process, although the hacker who is circulating the data, known as Peace, claims it used the SHA-1 algorithm, which is compromised and insecure. The same process was used in the recent MySpace breach, too. However, in this case, the passwords are salted, making it much harder to crack, though not necessarily impossible.
Troy Hunt, founder of the 'Have I Been Pwned?' breach tracking service, says that at least half of the passwords could be cracked. His website now lists Tumblr as the third largest breach, after both LinkedIn and Adobe, adding to the ever-growing list of data leaks.
Tumblr should have notified all users they believed to have been affected, but just in case, you can check to see if you have been involved in this breach by entering your email address on the 'Have I been Pwned?' website, where you can also sign-up for email notifications for future breaches. You can also stay alert to non-sensitive breaches on your Windows 10 device using the newly-released 'Hacked?' app, which will send you a notification within 12 hours if you are affected by a breach.
Source: Motherboard
14 Comments - Add comment