View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

65 million hacked Tumblr passwords for sale on darknet as worrying trend of ‘historical mega breaches’ emerges

News: MySpace is apparently next, with more than 360 million emails and passwords reportedly stolen.

By Ellie Burns

A mega breach has hit popular social media networks MySpace and Tumblr, with hundreds of millions of hacked accounts reportedly on sale via the darknet.

Following the much publicised LinkedIn breach, which saw 117m stolen emails and passwords up for sale on the Dark Web, it has been reported that a staggering 65 million Tumblr accounts are also now being advertised for sale online.

Although Tumblr admitted to the data breach on May 12, the scale of the hack was not disclosed. The database which was compromised included email addresses and passwords, although the latter are heavily protected due to Tumblr having salted and hashed the passwords – a procedure which turns passwords into different strings of digits, effectively making it impossible to restore a password so that is usable again.

According to a hacker known as Peace and cited by Motherboard’s Lorenzo Franceschi, due to the passwords being unusable, the remaining data – emails – are being sold for as little as $150 on darknet marketplace The Real Deal. However, as Matt Middleton-Leal, regional director, UK & Ireland at CyberArk argues, emails without passwords can be just as damaging to a user’s digital life.

"Personally identifiable information is a high value commodity for hackers; anything that helps to build a complete picture of a person can be far more valuable than credit card numbers. So the ability for hackers to use the leaked emails to tease out more information about individuals via phishing techniques is the concern, as other areas of their digital lives may then be at risk. Many of our online account passwords are the same or similar, so learning which one opens up other doors will be their chosen tactic."

The scale of the data breach came to light when Troy Hunt, a security researcher who runs the Have I Been Pwned site, obtained a copy of the stolen data. According to Hunt’s analysis, 65,469,298 Tumblr accounts have been breached, with significant trends and patterns surfacing due to the breach.

Hunt finds that it is interesting that a spate of mega breaches at LinkedIn, Fling, Tumblr and MySpace have all been recently disclosed, yet the actual breach in each case dates back a number of years. There is also the size of breach and the short space of time in which they are appearing, with Hunt saying: ‘These 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"Then there’s the fact that it’s all appearing within a very short period of time – all just this month. There’s been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can’t help but wonder if they’re perhaps related."

When it comes to MySpace, the Tumblr breach may pale in comparison. News site Motherboard has reported that the hacker known as Peace alongside an operator of LeakedSource claims to have 360 million emails and passwords of MySpace users. If true, this could be one of the biggest breaches and leak of passwords ever. However, as no data sample has been provided it is hard to verify the scale of the supposed breach. The data is, however, reportedly now up for sale on dark web market The Real Deal, with an asking price of 6 Bitcoin for the stolen passwords and emails.

In a statement, MySpace said: Email addresses, MySpace usernames, and MySpace passwords for the affected MySpace accounts created prior to June 11, 2013 on the old MySpace platform are at risk. As you know, MySpace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and MySpace username and password. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old MySpace platform."

In the statement, MySpace also said that automated tools had been deployed to identify and block any suspicious activity, while also having informed law enforcement about the breach.

If there is a trend of mega breaches then the MySpace breach might be one in a long line of breaches yet to be disclosed. Troy Hunt said: "If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the "mega" category that are simply sitting there in the clutches of various unknown parties?"

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.