A Tumblr data breach discovered earlier this month affected the personal data of more than 65 million of the site’s users, according to a new analysis of the leaked data.
The figure makes the Tumblr breach one of the largest to date, comparable to other large sets of user data that have recently made their way onto the public Internet, and suggests that websites’ insecure practices can mean consequences that may not come to light until years later.
The Tumblr data set contains 65,469,298 unique records, according to Troy Hunt, who maintains Have I Been Pwned, a searchable database of leaked data.
Tumblr didn’t disclose the number of users affected by the breach, which it said occurred in 2013 but was only discovered early this month. The site disclosed the breach on 12 May.
The database contains email addresses and passwords, but according to Tumblr the passwords are encrypted and further protected by a cryptographic process called salting, which involves the addition of random data to make the values more difficult to decypher.
The individual offering the data for sale on TheRealDeal, who uses the pseudonym Peace Of Mind, told Internet news site Motherboard that the protections meant the data could only be offered for sale for .425 Bitcoin, or about £157.
By contrast, the same seller is offering the LinkedIn data on TheRealDeal for 2 Bitcoin and the MySpace data for 6 Bitcoin, or more than £2,200, according to Hunt.
The recently disclosed breaches affecting LinkedIn, Fling, MySpace and Tumblr all follow the same pattern: all are amongst the largest known to date, and all result from hacks that took place several years ago.
The LinkedIn hack, involving 164 million user email addresses, took place in 2012; the Fling hack, involving 40 million users, took place in 2011; and the tumblr hack dates from 2013.
MySpace hasn’t yet indicated when the breach of its systems, involving 360 million records, took place, but the individual offering the data for sale on TheRealDeal said it, too, was a previously unreported incident from some time ago.
The MySpace breach is the largest on Have I Been Pwned’s records, according to Hunt, followed by LinkedIn, an Adobe leak that affected 152 million accounts, Tumblr and Fling.
Hunt suggested the pattern indicates that even as websites scramble to improve the way they protect user data, many may find that they are too late.
“This data is lying dormant (or at least out of public sight) for long periods of time,” he wrote in a blog post. “I honestly don’t know how much more data is floating around out there, but apparently it’s much more than even I had thought only a week ago.”
Are you a security pro? Try our quiz!
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…