65m Tumblr passwords for sale on the dark web
Tumblr recently revealed it had been hacked in 2013 as user credentials have now surfaced online
Earlier this month Yahoo-owned social blogging platform Tumblr publicised that its customer database had been hacked in 2013. Three years later, 65m passwords have appeared on the darknet marketplace.
The database includes email addresses and passwords, however Tumblr said it hashed the passwords, a method that ensures it is impossible to restore the passwords to a useable state by turning them into strings of digits. Nevertheless, Motherboard has reported that the credentials have since appeared for sale on darknet marketplace dubbed The Real Deal for $150.
Tumblr released a statement earlier this month which said: "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."
Security researcher Troy Hunt said that the data contained 65,469,298 unique email addresses and password, which have now been added to "Have I Been Pwned", a website that enables Tumblr users to enter their email addresses to check if they have been compromised.
Hunt also mentioned that there has been a rise in the number of "historical mega breaches", for instance 117m LinkedIn accounts surfaced on the dark web this month from when it was hacked in 2012 and also 360m MySpace accounts appeared for sale.
"There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time," said Hunt in a blogpost.
"Then there's the fact that it's all appearing within a very short period of time - all just this month. There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related."
He ended with: "I honestly don't know how much more data is floating around out there, but apparently it's much more than even I had thought only a week ago."
Tumblr users can check if their credentials have been compromised on the Have I Been Pwned website, but as a precaution, Tumblr advises users to change their passwords.