Home Archives Resources Profiile Feeds/RSS
Courts To Use Risk Scores More Frequently. Analysis Found Scores Unreliable And Racial Bias
Congressional Sources Say The Burr-Feinstein Anti-Encryption Bill is Dead

Emails And Passwords For Sale From The Massive Tumblr Data Breach

Tuesday, May 31, 2016

Tumblr logo Things seem to be getting worse as Tumbler, a blogging platform Yahoo acquired in 2013. First, Tumblr announced on May 12 a possible data breach, which stated:

"We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

That early May announcement directed users to reset their passwords, and use secure https connections. It didn't state the number of affected accounts. Well, now we know more.

Softpedia reported on May 30 that valid Tumblr passwords are available online for sale:

"Independent security researcher Troy Hunt revealed today that he received a data dump that contains 65,469,298 emails and hashed passwords, which the anonymous donor said belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin ($225)..."

That's 65.4 million passwords compromised. A massive breach affecting about one out of every eight Tumblr users. The good news: Tumblr had encyrpted its users' passwords. The bad news: the hackers have broken the encryption. That means Tumblr users probably should, a) change their passwords again, and b) inquire what Tumblr is doing to better protect sensitive information so this doesn't happen again.

It seems that Tumblr's breach detection and security processes are both lacking. Softpedia also reported:

"Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum."

Hmmm. It seems that several social networking sites need to improve their defenses.

Posted at 09:00 AM in Corporate Responsibility, Data Breaches, Privacy, Social Networking | | Comments (0)

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.