Tumblr Breach Hit 65 Million as Pattern Emerges

Written by

A security expert has warned that there could be a lot more to come, following recent revelations of data breaches that happened several years ago at web firms including LinkedIn, MySpace and Tumblr.

Earlier this month, 167 million records were found to have been exposed after a breach at LinkedIn in 2012 – despite the firm claiming at the time that just 6.5 million users were affected.

Then last week it was revealed that around 360 million records had been stolen from social media site MySpace.

Most recently a Tumblr hack from 2013 which the firm only discovered and notified users about earlier this month, has been found to have exposed 65 million records.

This is despite the Yahoo-owned firm playing down the incident by claiming that only a “set of Tumblr user email addresses with salted and hashed passwords” was stolen.

Troy Hunt runs the Have I been pwned (HIBP) website which allows users to check whether their information has been stolen from any sites they have online accounts with.

He claimed in a new post that in the past week alone he’s loaded 269 million records into the system – almost as many as were in the entire site prior to that.

Data from all three web firms, along with a fourth – Fling – are for sale on the darknet, from the same vendor, going by the handle peace_of_mind.

These breaches are all of extremely large volumes of data and all happened at least three years ago but have been sitting dormant, leading Hunt to speculate there may be a connection.

“There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related,” he suggested.

“If this indeed is a trend, where does it end? What more is in store that we haven't already seen? And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”

What’s hot on Infosecurity Magazine?