Login details of 65 million Tumblr users appear online
Security researcher Troy Hunt’s “have I been pwned” site has revealed the credentials of 65 million Tumblr users. These come from a hack that took place in 2013. The passwords are hashed and salted.
Earlier this month, Tumblr said the leaked data would involve “a number of Tumblr users’ email addresses.” However, it now appears that there is much more data involved. These were offered for sale on the site The Real Deal for 0.4 bitcoin, converted about 192 euros. The seller is the same who also sold the LinkedIn data under the name ‘Peace’. On the researcher’s site, users can check whether their data is part of the hack.
It is not clear which algorithm was used to hash the data; the seller claimed it was the outdated sha1 algorithm, Motherboard said in a message. The fact that a salt has also been added to the passwords makes them more difficult to crack. The seller therefore charges a relatively low price for the data.
Researcher Troy Hunt estimates that half of the passwords could have been cracked by now, because the data was already stolen in 2013. On its site, the Tumblr hack now ranks third among the largest hacks to date, after Adobe and LinkedIn. Hunt himself suspects that there is a connection between the recent major incidents and expects that more major hacks will most likely become known in the near future.
For the weekend, vendor “Peace” also offered a collection of 360 million MySpace user credentials through the same site, 111 million of which have usernames. The passwords were only hashed and not salted. An analysis found that the most commonly used password turned out to be ‘homelesspa’; this was more popular than “password1” or “abc123,” according to Motherboard. Its popularity appeared to be due to the fact that this password was used to automatically generate accounts.