65 million Tumblr passwords stolen and up for sale

On 12 May, Tumblr revealed that it had just discovered a 2013 breach of user email addresses and passwords.

Details were sparse, and the company reportedly refused to put a number on the affected accounts.

Now, we know: the dataset included more than 65 million accounts, up for sale on the Dark Web, as confirmed by an independent security researcher.

Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned, on Monday sent out an email blast to affected Tumblr users who’d signed up for notifications when their accounts are pwned (including me).

According to the advisory, the total number of compromised accounts is 65,469,298.

That puts it in third place in the list of largest data breaches ever recorded on Have I Been Pwned, after the 164 million LinkedIn passwords listed for sale on the Dark Web earlier this month after a 2012 breach and the 152 million accounts from the 2013 Adobe breach.

Those are big leaks, but there’s a bigger one that still has to make it onto Have I Been Pwned’s list of top breaches: 360 million accounts from a past, unreported breach of MySpace.

What’s triggering this spate of datasets emerging from years-old breaches?

As Hunt said in a post on Monday, we’re seeing some commonalities:

  • The age: the age of the most recent breach is still more than 3 years. We don’t know the age of the MySpace breach, but MySpace hasn’t been widely used for years, so that breach also likely dates back a while
  • The size: these four breaches are in the top 5 of the biggest Have I Been Pwned has ever seen. Once the MySpace data shows up, these 4 incidents will account for two thirds of all the data in the system
  • The reveal: all the datasets have emerged in May
  • The purveyor: all four datasets have been listed for sale on the Dark Web by the same account, “peace_of_mind,” who’s known simply as “Peace.”

Just because Peace offered them for sale doesn’t mean that he’s the one responsible for any of the initial breaches. Maybe they were sitting around for years, but maybe they’ve been passed from illicit hand to illicit hand for years.

But as Hunt noted, if all of this adds up to a trend, it’s quite possible that it will continue. If so, we can gird our loins as more enormous breaches surface and for more public releases of data.

Tumblr says it looks like the logins haven’t been used by whoever nabbed them:

We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter.

Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.

Passwords that are securely stored should be salted and hashed (we have a detailed article for techies and an explanation in plain English in our article about the recent MySpace breach), so there’s a bit of a silver lining here.

The salt isn’t a secret cryptographic key – indeed, it’s typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash.

Salting therefore ensures that hash-cracking lists can’t be pre-computed for all users in advance: you’d have to pre-compute a hash list for each possible salt combined with each possible dictionary word.

As with any data breach, those affected should head over to Tumblr to change their passwords immediately.

Finally, if you’ve used the same password in other places (which of course you shouldn’t – and here’s why it matters), you should head to those other sites and change it there – using a unique password for each site.