A new day, a new security breach involving social networks. Linkedin, Fling.com, MySpace and now Tumblr made the news after their systems had been breached and stolen user data has surfaced on black markets.
A hacker, dubbed “Peace,” is selling the data of 65 million Tumblr accounts for 0.4255 Bitcoin ($225) on the The Real Deal marketplace, a dark web site specialized in peddling stolen data and computer exploits. The same hacker is reportedly also selling compromised login account data from Fling, LinkedIn, and MySpace.
Tumblr was breached in 2013, yet the company only discovered it and notified its users in May 2016.
Apparently, the passwords were hashed and salted, according to an analysis by Tray Hunt, but Tumblr did not state the algorithm used in the process. That is why the selling price was fairly low.
“In any case, considering the age of the breach and the bad practices that were used at the time across websites, it’s fair to assume half of the passwords could be cracked,” Hunt said.
What do the four breaches have in common?
Age – all the intrusions laid dormant for years until their discovery; the most recent breach is more than 3 years old.
Linkedin – 2012
Fling.com – 2011
MySpace – 2013
Tumblr – 2013
Size – all these breaches are large in terms of volume of data leaked.
LinkedIn – 167 million hacked accounts had been put up for sale.
Fling.com – passwords and sexual preferences of 40 million users
MySpace – over 427 million MySpace passwords
Tumblr – 65 million
Moment of disclosure – the data leaked in a short timeframe, one breach after the other. Coincidence?
Nonetheless, the numbers are impressive. But how can the authenticity of the data be verified? In the case of Fling.com, out of 101 email addresses tested on the site, only 61 were already in use, Motherboard writes.
“It’s also worth bearing in mind that it’s possible to create an account on Fling without clicking a verification link sent to an email address,” the site writes. “And when Motherboard created test accounts on the site, it was necessary for the password to contain numbers, but in the sample data, many passwords only contained letters.”
To check if you have been a victim, you can go to https://haveibeenpwned.com/ , a database of over 600 million hacked accounts.