Tuesday, 31 May 2016

On 01:22 by admin   No comments
Email addresses and hashed and salted passwords of 65 million Tumblr users are being sold online by “peace_of_mind,” aka “Peace”, the individual that recently offered for sale LinkedIn users’ data dating back to a 2012 breach.

The account credentials stolen from Tumblr are also old – according to researcher Troy Hunt, they were stolen in the site’s February 2013 breach.

Tumblr warned about it earlier this month, but neglected to tell how many users are affected.

“We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password,” they said.

Peace is selling the lot for less than half a bitcoin (around $150), so it seems that the passwords are relatively safe from cracking but, as many have pointed out, a list of emails of 65 million Tumblr users can come in handy for mounting phishing attacks – something that the Tumblr team failed to warn about.


Post a comment