Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime

'Historical Mega Breaches' Continue: Tumblr Hacked

Newly Spotted Breach Follows Similar LinkedIn, Fling, MySpace Warnings
'Historical Mega Breaches' Continue: Tumblr Hacked

In the wake of reports that 65 million stolen credentials from micro-blogging platform Tumblr have surfaced in a darknet marketplace, it's clear that 2016 is fast becoming the year of "historical mega breaches."

See Also: 5 Requirements for Modern DLP

That's Australian security expert Troy Hunt's encapsulation of the recently revealed, but older, string of massive data breaches (see Troy Hunt: The Delicate Balance in Data Breach Reporting).

Other older mega breaches that have just been revealed include the theft of 360 million accounts from MySpace - it's not clear when they were stolen - which is the biggest breach listed on "Have I Been Pwned?" - Hunt's free breach notification site. It's followed by the 2012 theft of 165 million accounts and 117 million credentials from LinkedIn, Tumbler, and then the 2011 breach of 41 million accounts at "adult social network" Fling, which also only came to light this month.

Hunt notes that together, these newly disclosed old breaches represent four of the five largest data breaches ever seen.

Tumblr Sounds 2013 Breach Alert

Tumblr first issued a related security warning pertaining to its 2013 breach this month, but it didn't indicate how many accounts may have been compromised. "We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo," Tumblr's May 12 security alert reads. "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

The stolen Tumblr data is being offered for sale by a hacker known as Peace - also the seller behind the stolen LinkedIn, Fling and MySpace credentials - via the darknet marketplace The Real Deal, reports Motherboard. But the information is reportedly only being sold for about $150 in bitcoins, apparently thanks to Tumblr having "hashed" the passwords - which converts each one into an alphanumeric string - after having first "salted" them, which adds unique digits to each password, thus making them harder to crack.

A hacker known as "Peace" has offered stolen Tumblr credentials for sale on the darknet marketplace known as The Real Deal.

Tumblr's Password-Hash Fail

Tumblr hasn't disclosed which hashing algorithm it used. In theory, hashing will make passwords tougher to reverse engineer, provided the hashing is correctly implemented (see Researchers Crack 11 Million Ashley Madison Passwords).

But Hunt says that Tumblr used the SHA1 cryptographic hash function and estimates that at least half of its passwords being sold could be cracked.

If that's true, Tumblr's hashing practices weren't up to snuff. Indeed, security experts have long warned that SHA1 should never be used for passwords, and that only dedicated password hashes - such as mcrypt - be used instead (see LinkedIn's Password Fail). As a result, security experts warn that anyone who's reused their Tumblr password on other sites should change every password, preferably to something that's unique.

Spring Cleaning for Hackers

It's not clear what the impetus might be behind so many old breaches now coming to light, especially when the credentials are being offered for so little money. Perhaps it's just a bit of stolen-credential spring cleaning on the part of hackers such as Peace.

But the spate of newly discovered historical mega breaches is a reminder that some breaches may go undetected for years. Others, such as the LinkedIn breach - originally believed to encompass 6.5 million credentials - apparently can turn out to be much worse than anyone seems to have realized. And if the spate of recent breach revelations is any indication, there may be more bad news soon to come.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.