Tumblr Data Breach ‘Affects 65 Million Users’

Recently discovered data leaks suggest bad security practices may have effects that aren’t discovered until years later

A Tumblr data breach discovered earlier this month affected the personal data of more than 65 million of the site’s users, according to a new analysis of the leaked data.

The figure makes the Tumblr breach one of the largest to date, comparable to other large sets of user data that have recently made their way onto the public Internet, and suggests that websites’ insecure practices can mean consequences that may not come to light until years later.


Major breach

tumblr 1Like breaches affecting LinkedIn, sex-oriented social network Fling and most recently MySpace, the Tumblr data came to light when it was listed for sale on a website called TheRealDeal that specialises in sales of hacker contraband such as previously unknown software exploits.

The Tumblr data set contains 65,469,298 unique records, according to Troy Hunt, who maintains Have I Been Pwned, a searchable database of leaked data.

Tumblr didn’t disclose the number of users affected by the breach, which it said occurred in 2013 but was only discovered early this month. The site disclosed the breach on 12 May.

The database contains email addresses and passwords, but according to Tumblr the passwords are encrypted and further protected by a cryptographic process called salting, which involves the addition of random data to make the values more difficult to decypher.

The individual offering the data for sale on TheRealDeal, who uses the pseudonym Peace Of Mind, told Internet news site Motherboard that the protections meant the data could only be offered for sale for .425 Bitcoin, or about £157.

By contrast, the same seller is offering the LinkedIn data on TheRealDeal for 2 Bitcoin and the MySpace data for 6 Bitcoin, or more than £2,200, according to Hunt.

Years-old hacks

The recently disclosed breaches affecting LinkedIn, Fling, MySpace and Tumblr all follow the same pattern: all are amongst the largest known to date, and all result from hacks that took place several years ago.

The LinkedIn hack, involving 164 million user email addresses, took place in 2012; the Fling hack, involving 40 million users, took place in 2011; and the tumblr hack dates from 2013.

MySpace hasn’t yet indicated when the breach of its systems, involving 360 million records, took place, but the individual offering the data for sale on TheRealDeal said it, too, was a previously unreported incident from some time ago.

The MySpace breach is the largest on Have I Been Pwned’s records, according to Hunt, followed by LinkedIn, an Adobe leak that affected 152 million accounts, Tumblr and Fling.

Hunt suggested the pattern indicates that even as websites scramble to improve the way they protect user data, many may find that they are too late.

“This data is lying dormant (or at least out of public sight) for long periods of time,” he wrote in a blog post. “I honestly don’t know how much more data is floating around out there, but apparently it’s much more than even I had thought only a week ago.”

Are you a security pro? Try our quiz!