tumblr Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals

[Reefa]

Quote

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected.

 

As it turns out, that number is 65 million, according to an independent analysis of the data.

 

Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set.

 

Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. (Tumblr did not immediately respond to a request to confirm the figure).

 

The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords.

 

Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack.

 

A screenshot of the listing for the sale of the Tumblr data breach on the dark web illegal marketplace The Real Deal.

---

That’s why, Peace told me, the data was essentially just a list of emails, and he was only able to sell it for $150.

 

In any case, considering the age of the breach and the bad practices that were used at the time across websites, it’s fair to assume half of the passwords could be cracked, according to Hunt.

 

This data breach is now listed on Have I Been Pwned as the third largest ever, after the hack of 164 million LinkedIn accounts and the breach of 152 million Adobe accounts. You can check there to find out if you were a victim, though you should’ve been notified by Tumblr when the company forced users to reset passwords after announcing the breach.

 

Quote

What a great way to start this week. /CC Mantas May 30, 2016

 

What’s interesting about this incident is that it’s come along with other massive data breaches that were just recently disclosed, but date back a few years.

 

“This data is lying dormant (or at least out of public sight) for long periods of time,” Hunt wrote in a blog post on Monday.

 

Since Tumblr’s data was discovered, years-old breaches at LinkedIn and MySpace have also emerged in the last couple of weeks. Whether there will be more, it’s anyone’s guess. But as we’re slowly learning, everyone gets hacked, though sometimes we don’t find out for years.

 

“If this indeed is a trend, where does it end? What more is in store that we haven't already seen?" Hunt wrote. "And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the 'mega' [breach] category that are simply sitting there in the clutches of various unknown parties?“

 

Correction: A previous version of this story and headline said the victims of the breach according to Hunt were 68 million, they were actually 65.

 

source

 

[LeeSmithG]

Hackers didn't steal anything, 'crackers' did, that's what stealing and breaking into is done by, 'crackers'.

[Reefa]

Yes you are right in a way.. 

 

Quote

When the subject of Hackers and Crackers come up, people often intermingle the two terms and mistakenly use hacking and cracking as the same term. Although the two terms have some significant similarities, the main motive behind hacking and cracking are completely different.

 

Hackers (also known as "white hat" hackers) modify and add code, thus changing the code so that it does something other than what it was originally intended for. For example, a website owner may hire a programmer to "hack" or alter the code of their online store to perhaps add a shipping module that was not there before. Hackers usually have a bad reputation, but hacking skills in itself can be helpful and useful if used for positive reasons. Many people hack their own systems, or get permission to hack someone else's, to gain more knowledge regarding the security of their website or to have their website do some feature it didn't have before….hacking the code would be less expensive than buying new software to acquire a new feature you did not have before. There are people who actually have jobs as professional hackers (ethical hackers) who are hired by companies to test and repair security systems by hacking into them. It's legal to hack in these cases because fraud, stealing, or other criminal acts are not being committed. Hackers can be helpful in that they have the ability to alter and take advantage of computer systems, using their skill set to suppress cracker activity.

 

Crackers, also known as "malicious hackers" and "black-hat hackers", are different because although they have the same skills as a hacker, they use their power to commit criminal acts. For example, crackers can send viruses, steal personal information and commit other crimes using just their skills and a home computer. Obviously, the activities of most Crackers are considered illegal.

 

In comparing Hackers to Crackers, we can see that they have similar skill sets, but while Hacker activity is usually of the legal kind, Cracker activity is usually of the illegal kind.

 

source

 

How ever it is a bit petty as you will find most articles word it this way So i wouldn't loose any sleep over it..

 

[steven36]

Tumblr is own by Yahoo witch is  for sale, this really nothing really new for Yahoo other than the size of the breach. One in eight Tumblr users affected ..I had a account  from yahoo stole from me back during the 1st decade of the 21st century , this stuff happened time and time again on Yahoo services. These people are lucky at lest they are resetting the passwords back in the old days you just lost you're account forever .

 

Quote

Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum.