Tumblr earlier this month revealed that a third party had obtained access to a set of user e-mail addresses and passwords dating back to early 2013. The company, now owned by Yahoo, didn’t reveal how many accounts were compromised but said it was requiring affected users to set up a new password. Now, we know the answer.
Renowned security researcher Troy Hunt recently obtained a copy of the stolen data set. Hunt told Motherboard that the data includes 65,469,298 unique e-mail addresses and passwords.
Corroborating Tumblr’s account of the breach, the passwords weren’t of the plaintext variety but were salted and hashed, techniques used to make passwords more secure and thus, more difficult to crack. Tumblr didn’t say what algorithm it used to hash the passwords although according to at least one underground listing for the data, it’s SHA1.
Because they were salted, the publication notes, the seller is only asking around $150. Given the age of the breach and the bad practices used at that time (and still today, largely), Hunt estimates that at least half of the passwords could be cracked.
Perhaps more worrisome, however, is the growing trend of dated breaches cropping up lately. Hunt ponders this very question in a recent blog post, wondering just how many more “mega” breaches there are out there just waiting to be released.