The massive scale of a data breach that affected social blogging platform Tumblr has been revealed for the first time.
The Yahoo-owned service admitted it had been hacked in 2013 but refused to divulge how many accounts had been affected. According to security expert Troy Hunt, hackers got away with approximately 65 million Tumblr passwords in total, making it the third-biggest data breach of all time.
Even more fascinating, however, is the potential connection between the Tumblr hack and a recently revealed LinkedIn breach. The latter is the current record holder in terms of the amount of data stolen, but Hunt has also drawn parallels to the way that data is being sold online.
In both cases, the passwords extracted by the hacker, or hackers, are all available to the highest bidder on the dark web. Additionally, the listings that Hunt spotted online were all created by the same seller, an account known as “peace_of_mind.” That doesn’t necessarily mean that individual is the person responsible for the breaches, but it is yet another similarity.
There is also a third breach, concerning a once-popular but now defunct social network, which is rumored to be the biggest of them all. It is thought that MySpace was hacked on an unspecified date, possibly during its mid-2000s heyday, and that 360 million records were stolen. The fact that all of these breaches are now coming to light is another indication that the perpetrators may be the same, according to Hunt.
“There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than three years old,” states Hunt. “This data has been lying dormant (or at least out of public sight) for long periods of time.”
Security experts are also advising social media companies to go beyond passwords in order to protect their members.
“The breaches at MySpace and LinkedIn are just two more examples highlighting why passwords aren’t sufficient for protecting sensitive data,” Vishal Gupta, CEO of security startup Seclore, told Digital Trends. “Data-centric security solutions are a natural candidate for supplementing the increasingly weakened password. By applying protections at the data level, even if hackers manage to get their hands on sensitive information, the data remains completely unusable.”
It is important to note that Tumblr claims the stolen set of user email addresses all contained salted and SHA1 hashed passwords, which are much harder to crack.