After signing up for Have I Been Pwned? when Troy Hunt started the site in 2013, I had received no notifications about any account being compromised in a data breach. But then whammo! I get two notifications for two separate breaches in a relatively short time. The one today was about Tumblr, an account I barely remember even signing up for.
Over 65 million Tumblr accounts compromised
Tumblr claimed “a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013.” The reality, according to the HIBP notification, is that 65,469,298 people were pwned in the Tumblr data breach from February 2013; the compromised data included email addresses and passwords.
Have I Been Pwned / Troy Hunt
A hacker going by “peace_of_mind” was selling the Tumblr data on the darknet marketplace The Real Deal.
Peace told Motherboard that Tumblr had used SHA1 to hash the passwords and also used salt, making them hard to crack. The data is “essentially just a list of emails” and “he was only able to sell it for $150.”
Over 40 million Fling accounts compromised
Before adding the Tumblr accounts to HIBP, security researcher Troy Hunt reported that he had just added 40,767,652 compromised records from Fling, which is not safe for work or around children if you click on it. The Fling breach dated back to 2011.