In the wake of reports that 65 million stolen credentials from micro-blogging platform Tumblr have surfaced in a darknet marketplace, it's clear that 2016 is fast becoming the year of "historical mega breaches."
See Also: 2016 State of Threat Intelligence Study
That's Australian security expert Troy Hunt's encapsulation of the recently revealed, but older, string of massive data breaches (see Troy Hunt: The Delicate Balance in Data Breach Reporting).
Other older mega breaches that have just been revealed include the theft of 360 million accounts from MySpace - it's not clear when they were stolen - which is the biggest breach listed on "Have I Been Pwned?" - Hunt's free breach notification site. It's followed by the 2012 theft of 165 million accounts and 117 million credentials from LinkedIn, Tumbler, and then the 2011 breach of 41 million accounts at "adult social network" Fling, which also only came to light this month.
Hunt notes that together, these newly disclosed old breaches represent four of the five largest data breaches ever seen.
Tumblr Sounds 2013 Breach Alert
Tumblr first issued a related security warning pertaining to its 2013 breach this month, but it didn't indicate how many accounts may have been compromised. "We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo," Tumblr's May 12 security alert reads. "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."
The stolen Tumblr data is being offered for sale by a hacker known as Peace - also the seller behind the stolen LinkedIn, Fling and MySpace credentials - via the darknet marketplace The Real Deal, reports Motherboard. But the information is reportedly only being sold for about $150 in bitcoins, apparently thanks to Tumblr having "hashed" the passwords - which converts each one into an alphanumeric string - after having first "salted" them, which adds unique digits to each password, thus making them harder to crack.
A hacker known as "Peace" has offered stolen Tumblr credentials for sale on the darknet marketplace known as The Real Deal.
Tumblr's Password-Hash Fail
Tumblr hasn't disclosed which hashing algorithm it used. In theory, hashing will make passwords tougher to reverse engineer, provided the hashing is correctly implemented (see Researchers Crack 11 Million Ashley Madison Passwords).
But Hunt says that Tumblr used the SHA1 cryptographic hash function and estimates that at least half of its passwords being sold could be cracked.
If that's true, Tumblr's hashing practices weren't up to snuff. Indeed, security experts have long warned that SHA1 should never be used for passwords, and that only dedicated password hashes - such as mcrypt - be used instead (see LinkedIn's Password Fail). As a result, security experts warn that anyone who's reused their Tumblr password on other sites should change every password, preferably to something that's unique.
Spring Cleaning for Hackers
It's not clear what the impetus might be behind so many old breaches now coming to light, especially when the credentials are being offered for so little money. Perhaps it's just a bit of stolen-credential spring cleaning on the part of hackers such as Peace.
But the spate of newly discovered historical mega breaches is a reminder that some breaches may go undetected for years. Others, such as the LinkedIn breach - originally believed to encompass 6.5 million credentials - apparently can turn out to be much worse than anyone seems to have realized. And if the spate of recent breach revelations is any indication, there may be more bad news soon to come.