Email addresses and hashed and salted passwords of 65 million Tumblr users are being sold online by “peace_of_mind,” aka “Peace”, the individual that recently offered for sale LinkedIn users’ data dating back to a 2012 breach.
The account credentials stolen from Tumblr are also old – according to researcher Troy Hunt, they were stolen in the site’s February 2013 breach.
Tumblr warned about it earlier this month, but neglected to tell how many users are affected.
“We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password,” they said.
Peace is selling the lot for less than half a bitcoin (around $150), so it seems that the passwords are relatively safe from cracking but, as many have pointed out, a list of emails of 65 million Tumblr users can come in handy for mounting phishing attacks – something that the Tumblr team failed to warn about.
Hunt notes that all of these breaches (including the MySpace one announced recently) date back a few years.
“There’s been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can’t help but wonder if they’re perhaps related. One explanation may be related to the presence of these breaches being listed for sale on the dark market,” he mused.
“These 3 are all listed by peace_of_mind and by all accounts, this individual is peddling a quality product. Apparently, buyers are happy. Now this is not to say that peace is the guy who’s hacking into these sites and indeed attribution can be hard, particularly after so much time has passed by since the sites were actually attacked. But certainly there’s a trend here which is hard to ignore.”
Time will tell if there will be other similar revelations.
In the meantime, you can check via the Have I been pwned? service whether these latest data offered for sale contains your email address and password.