Stole passwords from Tumblr are up for sale

A hacker stole passwords from Tumblr, and now he is selling them on the black market. The hacker, who goes by the name of Peace, has taken millions of passwords from numerous sites and is currently trying to sell them for $2,800. Peace also hacked LinkedIn and Myspace.

Stole passwords from Tumblr

Peace, the hacker, stole 65 million passwords from Tumblr and other other websites and is about to sell them for the small amount of $2,800 or for six bitcoins.

In June of 2013, the hacker was able to access several social media networking sites including Myspace, LinkedIn, and Tumblr. It is not known how Peace accomplished the data breach and it is not clear why the companies never revealed the incident until now.

Peace collected 164 million LinkedIn users’ data and snatched 65,469,298 user emails and passwords from Tumblr. While Tumblr has declined to confirm the figure, it did reveal that it did indeed have a security breach. In a statement released earlier this month, Tumblr said:

“As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.”

Quizzed on what kind of changes were put in place and the new algorithm used to hash the passwords, Tumblr refused to answer. Instead, it asked its users to once more change their password. This week, many tech experts spotted the data stolen by Peace circulating around the Internet underground.

The 65,469,298 user emails and passwords from Tumblr can be yours for only 150 dollars. However, after obtaining the data, the buyer has to crack it because “the passwords were not in plain text, but instead went through a process called ‘salting and hashing’ where they were transformed into a string of digits.”

The cyber-attack did not only harm MySpace, it also affected Time Inc., which became the owner of the social network in February. However, the breach did not affect the company’s financial data or private information. Myspace explained in a blog post:

“As part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security. The compromised data is related to the period before those measures were implemented. We are currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that “hashes” a password or passphrase) to store passwords.”

Someone, who goes by the alias of Tessa88, originally stole data from Myspace, but somehow Peace was able to get his hands on it and sell it online. Peace said:

“I’ll put listing for sale before idiots start spreading it.”

People, who have Myspace and Tumblr accounts, can find out if their information was compromised, by checking “Have I Been Pwned?”

You might like