Cyber Incident Victim: Tumblr
Date:
Jan 2013
Location:
United States of America
Summary
A major data breach compromised approximately 65 million user email addresses and passwords. The stolen credentials were hashed using SHA-1 with salting, significantly increasing cracking difficulty. Despite protective measures, the dataset circulated underground and was sold for a nominal amount. The incident ranked among the largest breaches at the time, prompting forced password resets for affected accounts. Discovery and disclosure occurred years after the initial intrusion, highlighting delays in breach identification and reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, Tumblr publicly disclosed a previously undetected data breach that occurred in 2013, affecting a significant number of user accounts. The company reported that attackers had compromised "a set" of email addresses and salted, hashed passwords but initially withheld specific figures regarding the breach's scope. Independent analysis by security researcher Troy Hunt, who obtained a copy of the stolen dataset, revealed the breach impacted 65,469,298 unique email addresses and corresponding passwords. Tumblr confirmed the use of cryptographic salting—appending random data to passwords before hashing—but did not disclose the specific hashing algorithm employed. A hacker known as Peace, who claimed possession of the data and attempted to sell it on the darknet marketplace The Real Deal, asserted Tumblr utilized SHA-1 for hashing. The combined use of salting and hashing rendered the passwords resistant to immediate cracking, contributing to the dataset's relatively low black-market valuation of $150. Tumblr enforced mandatory password resets for affected users upon disclosing the breach in 2016, though the compromised data had already circulated within underground hacking communities for an unspecified period prior to public disclosure.
The breach ranked as the third-largest incident recorded on Hunt’s Have I Been Pwned breach-tracking service at the time, trailing only the LinkedIn (164 million accounts) and Adobe (152 million accounts) breaches. Despite the protective measures, Hunt estimated approximately 50% of the passwords remained vulnerable to cracking due to dated security practices prevalent when the breach occurred. The incident formed part of a broader pattern of delayed breach disclosures, with similarly aged compromises at LinkedIn and MySpace becoming public concurrently. Tumblr directed users to reset passwords proactively but did not confirm Hunt’s 65 million figure publicly. The stolen dataset’s underground availability highlighted persistent risks of historical data exposure, with Hunt speculating about the potential existence of other unreported "mega breaches" held by threat actors. No additional technical details regarding attack vectors, internal detection methods, or containment procedures were disclosed by Tumblr or detailed in the analyzed source material.