Earlier this week, it was reported that a hacker had obtained user information for a large number of Tumblr accounts.

Here is what you need to know:

What exactly happened?

On May 12th, Tumblr (now owned by Yahoo) reported that "a set" of its user data from early 2013 and before (prior to the Yahoo acquisition) had somehow been obtained by an (unauthorized) third party.

This week, security researcher, Troy Hunt, announced that he had obtained a copy of the stolen data set, and that it contained login information apparently related to over 65 million Tumblr accounts. It is not clear as of yet exactly when or how the data leaked.

Were 65 million passwords really leaked?


Apparently, yes - but not in a form that would allow someone to actually read them. 

According to Tumblr, the passwords involved were salted and hashed - meaning that they were encrypted using a one-way encryption function (hashing), and extra random data was added to each real password before the function was applied to hash it (salting). As such, the data possessed by the hacker and leaked to others could not be used directly to log into Tumblr. That said, there is some level of risk that passwords can be extrapolated from such data - especially since the nefarious party who originally stole the data had both a large collection of salted-and-hashed data and possessed it for quite some time - so Tumblr's salting-and-hashing does not afford bullet-proof protection. We also don't know what algorithms or tools were used to do the salting and hashing, and whether any vulnerabilities or implementation mistakes may have been discovered in either since the time the data was stolen.

What should Tumblr users do now?

As Tumblr stated in its notice "As a precaution, however, we will be requiring affected Tumblr users to set a new password." - so users whose accounts are at risk have been forced (or will be forced when they next login to the service) to change their passwords. Taking such action will protect against a hacker (or anyone else) using a password that is somehow extrapolated from the salted-and-hashed data to access the user's Tumblr account.

Is that all that has to be done?

No. There is another important action that should be taken, and it applies to Tumblr users as well as people no longer using the site:

Any user who used his or her circa-2013 or earlier Tumblr password on any other site or for any other purpose - and is still using it as such - should change that password wherever it is being used.

Such users may not be notified by Tumblr that they are at risk, as they may have since closed their Tumblr accounts or changed their email addresses.

Are there any other precautions that must be taken?

Yes. Be vigilant about phishing emails - the email addresses in the hacker's collection were not encrypted. Criminals may even send out emails impersonating Tumblr asking people to open an attachment or visit some rogue website to reset their passwords.

Keep in mind that, at least in the short term, the odds that criminals will attempt to exploit the email addresses in the Tumblr data dump for nefarious purposes are likely much higher than the odds that they will successfully extract usable passwords from the salted-and-hashed data.

What can be done to protect Tumblr accounts in the future?

As discussed in my article about Katy Perry's Twitter account being hacked earlier this week, it is generally wise to protect social media accounts (especially those that a person regularly uses) with multi-factor authentication, rather than with just a password. Tumblr offers such authentication capabilities.

Can I check if my Tumblr account was included in the leak?

Hunt's site, https://haveibeenpwned.com/, allows you to check if your email address was included in this leak or in others.

Does the Tumblr data leak represent a new trend of old data breach data surfacing years later?

I suspect that there is not a new trend beginning, as much as a combination of there being more old data-leak data out "in the wild" (i.e., there weren't nearly as many major data-leak type breaches a decade ago, so there couldn't possibly be many old data dumps surfacing seven years ago), and a far greater number of researchers now looking for such data than just a few years ago.  Brian Bartholomew, Senior Security Researcher at Kaspersky Lab, expressed a similar sentiment to me: "I don't think this is a new trend as much as there are more and more researchers focusing on the topic and now discovering what's been around for years. As more of these breaches come to light, companies are digging deeper for this information. Data from large breaches has been available for some time. Up until recently, however, the only ones who really knew about how much is out there were the ones trading in that market." 

How bad is this data breach compared to others?

The Tumblr leak - of combinations of old email addresses and salted-and-hashed passwords to social media accounts - is obviously not as serious as the IRS leaking tax records or the Office of Personnel Management leaking personnel records and fingerprints, or as bad as various other high-profile breaches that have occurred in the recent past. That said, as I mentioned before, especially because hackers have had years and a large dataset with which to work, there is risk that some passwords may have been exposed, and those passwords may be usable on other sites as well as on Tumblr. As Barthomolmew put it: "a large percentage of normal users tend to re-use passwords for many different systems. If you think about how many users from Tumblr have Apple iCloud accounts, Twitter accounts, Gmail or other online mail accounts, etc. the potential risk is high for this breach to bleed over into other stories down the road."