byDarlene Storm
news analysis
May 30, 20163 mins
CybercrimeData and Information SecurityPrivacy
That "set" of accounts compromised in the Tumblr hack was actually 65 million. Have I Been Pwned added another 40 million from the 'dating' hookup site Fling. The MySpace hack had more than 360 million email addresses in it.
After signing up for Have I Been Pwned? when Troy Hunt started the site in 2013, I had received no notifications about any account being compromised in a data breach. But then whammo! I get two notifications for two separate breaches in a relatively short time. The one today was about Tumblr, an account I barely remember even signing up for.
Over 65 million Tumblr accounts compromised
Tumblr claimed “a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013.” The reality, according to the HIBP notification, is that 65,469,298 people were pwned in the Tumblr data breach from February 2013; the compromised data included email addresses and passwords.
In other words, dumped data from another old hack came out of nowhere and jumped to number three inHIBP’stop 10 breaches.
A hacker going by “peace_of_mind” was selling the Tumblr data on the darknet marketplace The Real Deal.
Peace told Motherboard that Tumblr had used SHA1 to hash the passwords and also used salt, making them hard to crack. The data is “essentially just a list of emails” and “he was only able to sell it for $150.”
Over 40 million Fling accounts compromised
Before adding the Tumblr accounts to HIBP, security researcher Troy Hunt reported that he had just added 40,767,652 compromised records from Fling, which is not safe for workor around children if you click on it. The Fling breach dated back to 2011.
“Peace” is also selling the compromised account data from Fling, LinkedIn, Tumblr and MySpace.
Data from mega breaches no longer ‘dormant’
The LinkedIn hack of 2012 supposedly exposed 6.2 million password hashes, but that ended up missing the mark by a tremendous amount since a hacker was selling 167 million LinkedIn user records. 117 million had passwords, which were stored in SHA1 with no salting.
Then there’s more than 65 million accounts compromised from Tumblr and over 40 million from Fling. “This data has been lying dormant (or at least out of public sight) for long periods of time,” Hunt wrote.
Although the total records added to HIBP in the last six days is 269 million, Hunt said all of those latest hacks will “pale in comparison” once he gets hold of and adds the compromised MySpace records.
MySpace hack
The MySpace hack contained over 360 million email addresses in it.
LeakedSource reported the “data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password.”
The data, which had been provided by “Tessa88,” included 427,484,128 total passwords that were stored in SHA1 with no salting. Sadly, “very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character.” MySpace had chosen not to respond when contacted, so LeakedSource has included a list of top passwords as well as the top email domains.
LeakedSource, which has accumulated over 1.6 billion records, has search capabilities. If you find your personal information in the leaked databases, you can contact LeakedSource and ask for it to be “removed free of charge.”
This “trend” of data being sold from really old hacks has Hunt “really curious.” He wrote, “Even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”
Related content
- featureWindows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 22635.3720 for the Beta Channel and Build 26120.770 for the Dev Channel, both released on June 7, 2024.ByPreston GrallaJun 07, 2024264 minsSmall and Medium BusinessMicrosoftWindows 11
- newsDuckDuckGo launches anonymous AI chatbot The privacy-conscience search engine said it will not use information users input for training LLMs or in any other way reveal who queried the chatbot.ByLucas MearianJun 07, 20243 minsChatbotsData PrivacyWeb Search
- newsUS chip export control rules circumvented by AI cloud services, says report Chinese companies are exploiting a loophole in export control rules that draft legislation introduced last year sought to close.ByJohn LeydenJun 07, 20244 minsGovernmentGenerative AIGPUs
- newsHow many jobs are available in technology in the US? Tech unemployment was down in May and job postings were higher than they've been for more than a year.ByLucas MearianJun 07, 2024164 minsRemote WorkSalariesFinancial Services Industry
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
