‘Historical Mega Breaches’ Continue: Tumblr Hacked
Newly Spotted Breach Follows Similar LinkedIn, Fling, MySpace Warnings
In the wake of reports that 65 million stolen credentials from micro-blogging platform Tumblr have surfaced in a darknet marketplace, it’s clear that 2016 is fast becoming the year of “historical mega breaches.”
That’s Australian security expert Troy Hunt’s encapsulation of the recently revealed, but older, string of massive data breaches (see Troy Hunt: The Delicate Balance in Data Breach Reporting).
“These newly disclosed old breaches could represent four of the five largest data breaches in history.”
Other older mega-breaches that have just been revealed include the 2012 theft of 165 million accounts and 117 million credentials from LinkedIn, which is the biggest breach listed on “Have I Been Pwned?” – Hunt’s free breach notification site, and the 2011 breach of “adult social network” Fling (41 million), which also only came to light this month.
Not on Hunt’s list, at least so far, is the apparent breach of MySpace, for which 360 million credentials of indeterminate – but likely old – age just came to light (see Did a MySpace Hack Compromise 427 Million Passwords?). Hunt hasn’t yet obtained a copy of the credentials. But he notes that together, these newly disclosed old breaches could represent four of the five largest data breaches ever.
Tumblr Sounds 2013 Breach Alert
Tumblr first issued a related security warning pertaining to its 2013 breach this month, but it didn’t indicate how many accounts may have been compromised. “We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo,” Tumblr’s May 12 security alert reads. “As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.”
The stolen Tumblr data is being offered for sale by a hacker known as Peace – also the seller behind the stolen LinkedIn, Fling and MySpace credentials – via the darknet marketplace The Real Deal, reports Motherboard. But the information is reportedly only being sold for about $150 in bitcoins, apparently thanks to Tumblr having “hashed” the passwords – which converts each one into an alphanumeric string – after having first “salted” them, which adds unique digits to each password, thus making them harder to crack.
— Mathew J Schwartz (@euroinfosec) May 31, 2016
Tumblr’s Password-Hash Fail
Tumblr hasn’t disclosed which hashing algorithm it used. In theory, hashing will make passwords tougher to reverse engineer, providing the hashing is correctly implemented (see Researchers Crack 11 Million Ashley Madison Passwords).
But Hunt says that Tumblr used the SHA1 cryptographic hash function and estimates that at least half of its passwords being sold could be cracked.
If that’s true, Tumblr’s hashing practices weren’t up to snuff. Indeed, security experts have long warned that SHA1 should never be used for passwords, and that only dedicated password hashes – such as mcrypt – be used instead (see LinkedIn’s Password Fail). As a result, security experts warn that anyone who’s reused their Tumblr password on other sites should change every password, preferably to something that’s unique.
Spring Cleaning for Hackers
It’s not clear what the impetus might be behind so many old breaches now coming to light, especially when the credentials are being offered for so little money. Perhaps it’s just a bit of stolen-credential spring cleaning on the part of hackers such as Peace.
But the spate of newly discovered historical mega breaches is a reminder that some breaches may go undetected for years. Others, such as the LinkedIn breach – originally believed to encompass 6.5 million credentials – apparently can turn out to be much worse than anyone seems to have realized. And if the spate of recent breach revelations is any indication, there may be more bad news soon to come.
Source: SANS ISC SecNewsFeed @ May 31, 2016 at 01:09PM