Do you remember the hacker going by the nickname Peace who recently offered for sale 117 million Linkedin credentials? The hacker is now doing the same with 65,469,298 million hashed and salted passwords, along with the email addresses, of Tumblr users. The credentials are from a 2013 data breach, prior to the acquisition of Tumblr by Yahoo. According to well-known researcher Troy Hunt, creator of the Have I Been Pwned project, the credentials were obtained during February 2013.
Tumblr released a statement earlier this month, on May 12, but didn’t specify the number of users affected:
We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.
The stolen user database is up for sale for pennies, once again. Peace is offering it for 0.4255 Bitcoin. Even though it’s relatively hard to break the passwords, it’s still quite bothersome that 65 million email addresses are made available to hackers. Phishing and spam are just two out of many possible outcomes that may endanger Tumblers’ personal information.
What Do All Recent Data Breaches (LinkedIn, MySpace, Fling, and Now Tumblr) Have In Common?
All of these data incidents took place several years ago, but their consequences are only beginning to reveal today. Troy Hunt wrote a whole peace on the matter, titled The emergence of historical mega breaches. Furthermore, affected parties systematically fail to warn their users or take matters in their hands as quickly as possible. Data breach prevention should be their top priority but is in fact more of a taboo.
There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.
The other is the size and these 4 breaches [LinkedIn, Myspace, Tumblr, Fling] are all in the top 5 largest ones HIBP [Have I Been Pwned] has ever seen. That’s out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.
To sum it up:
- The truth about all of these breaches became public within a month;
- The incidents happened in the past;
- The vendors failed to react accordingly;
- The leaked data is up for sale on the black market.
What does Troy Hunt think about all of these coincidences?
If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the “mega” category that are simply sitting there in the clutches of various unknown parties?