Enormous extent of the 2013 data breach revealed

Three years on from a huge data breach on Tumblr, the true extent of the hack has been revealed.


Tumblr itself has refused to reveal how many users were affected, and merely referred to the number as ‘a set’.


However, an independent report by data breach awareness site, Have I Been Pwned (HIBP), claims that 65,469,298 email addresses and passwords were stolen. 


Troy Hunt, a security researcher who maintains HIBP, managed to obtain a copy of the stolen data set.


Mr Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. 


While Tumblr is yet to confirm the figure, if it is correct, HIBP said that would make it the third biggest ever security breach.


In a statement released earlier this month, Tumblr said: ‘As soon as we became aware of this, our security team thoroughly investigated the matter. 


‘Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.’


The hacked passwords were not in plain text, but instead went through a process called ‘salting and hashing’ where they were transformed into a string of digits.  


Tumblr did not explain the exact algorithm it used to hash the passwords, but did advise that people should still be wary and change their passwords. 


Since Tumblr’s announcement about the data breach in 2013, the data in question appears to have been circulating around the internet underground.


A hacker known as ‘Peace’ claims to have the data and was selling it on the internet marketplace The Real Deal.


Peace said Tumblr used an algorithm called SHA1 to hash and salt the passwords. 


If this is correct, it would make it very hard for hackers to crack.


This means that despite the huge amount of data, it is essentially just a list of email addresses and not of much use to Peace – who only sold it for £103 ($150).


However, Mr Hunt said that considering the data breach was three years ago, and the bad practices that were used at the time across websites, it is fair to assume half of the passwords could be cracked.


This data breach is listed on HIBP as the third largest ever. This comes just behind a hack of 164 million LinkedIn accounts and the breach of 152 million Adobe accounts.  

Read the full article