After signing up for Have I Been Pwned? when Troy Hunt started the site in 2013, I had received no notifications about any account being compromised in a data breach. But then whammo! I get two notifications for two separate breaches in a relatively short time. The one today was about Tumblr, an account I barely remember even signing up for.
Over 65 million Tumblr accounts compromised
Tumblr claimed “a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013.” The reality, according to the HIBP notification, is that 65,469,298 people were pwned in the Tumblr data breach from February 2013; the compromised data included email addresses and passwords.
In other words, dumped data from another old hack came out of nowhere and jumped to number three in HIBP’s top 10 breaches.
A hacker going by “peace_of_mind” was selling the Tumblr data on the darknet marketplace The Real Deal.
Peace told Motherboard that Tumblr had used SHA1 to hash the passwords and also used salt, making them hard to crack. The data is “essentially just a list of emails” and “he was only able to sell it for $150.”
Over 40 million Fling accounts compromised
Before adding the Tumblr accounts to HIBP, security researcher Troy Hunt reported that he had just added 40,767,652 compromised records from Fling, which is not safe for work or around children if you click on it. The Fling breach dated back to 2011.
“Peace” is also selling the compromised account data from Fling, LinkedIn, Tumblr and MySpace.
Data from mega breaches no longer ‘dormant’
The LinkedIn hack of 2012 supposedly exposed 6.2 million password hashes, but that ended up missing the mark by a tremendous amount since a hacker was selling 167 million LinkedIn user records. 117 million had passwords, which were stored in SHA1 with no salting.
Then there’s more than 65 million accounts compromised from Tumblr and over 40 million from Fling. “This data has been lying dormant (or at least out of public sight) for long periods of time,” Hunt wrote.
Although the total records added to HIBP in the last six days is 269 million, Hunt said all of those latest hacks will “pale in comparison” once he gets hold of and adds the compromised MySpace records.
The MySpace hack contained over 360 million email addresses in it.
LeakedSource reported the “data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password.”
The data, which had been provided by “Tessa88,” included 427,484,128 total passwords that were stored in SHA1 with no salting. Sadly, “very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character.” MySpace had chosen not to respond when contacted, so LeakedSource has included a list of top passwords as well as the top email domains.
LeakedSource, which has accumulated over 1.6 billion records, has search capabilities. If you find your personal information in the leaked databases, you can contact LeakedSource and ask for it to be “removed free of charge.”
This “trend” of data being sold from really old hacks has Hunt “really curious.” He wrote, “Even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”