LinkedIn Hacker is Now Selling 65 Million Tumblr Passwords, Stolen in 2013

Rafia Shaikh
Posted May 30, 2016
33Shares
Share Tweet Submit

It’s raining passwords this month. In the latest stolen-passwords news, over 65 million passwords and email addresses were leaked in a Tumblr data breach and are now being sold in a dark web marketplace.

65 million Tumblr passwords are now available in the dark web

Tumblr revealed earlier in the month that it had just found out about a 2013 data breach that affected some of its users. While the company refused to share details of exactly how many users were affected, independent analysis is here to surprise us all. This “set” of users is apparently 65 million large, as Troy Hunt, security researcher responsible for the popular Have I Been Pwned site, has claimed. Hunt has apparently obtained a copy this stolen data set, and has shared that the database contained 65,469,298 unique emails and passwords.

After Tumblr made this announcement, the hacked data started circulating in the dark web. The same hacker responsible for selling LinkedIn and MySpace passwords is now selling Tumblr’s hacked data in The Real Deal marketplace. During the breach statement, Tumblr had said that the passwords were “salted,” or hashed, which would make it difficult for hackers to crack them. Unlike LinkedIn and MySpace, Peace is unable to demand for over $2,000 for the data, because the data is essentially “just a list of emails.” However, Hunt told Motherboard that it won’t be too difficult to crack them, “In any case, considering the age of the breach and the bad practices that were used at the time across websites, it’s fair to assume half of the passwords could be cracked.”

Hackers are Using Stolen LinkedIn Data to Spread Banking Malware via Phishing Emails

tumblr hack passwords stolen

Tumblr’s data breach is listed on Have I Been Pwned as the third largest ever, after LinkedIn’s 164 million and Adobe’s 152 million accounts. MySpace is yet to be confirmed, which will, of course, top this list.

Following the disclosure, Tumblr forced its users to reset their passwords, which means if you haven’t been made to reset your passwords, you probably weren’t a victim. If you are still worried about your security, you can go to HIBP to confirm if you are a victim of this data breach.

It’s interesting to note that this is the third major data breach that has been reported and leaked in the dark web this month, after years of lying dormant. The same hacker, known as Peace, seems to be selling the data, which makes us wonder if he has any more such massive data sets up his sleeves that he is yet to sell.

Share Tweet Submit