More than 65 million sets of login credentials for users of Yahoo-owned Tumblr have appeared up for sale through the darknet.
"Peace", the same black hat behind the sale of 117 million leaked LinkedIn credentials (fruits of a 2012 breach), has said he or she is also selling the latest data, although it is now widely available on the darknet.
LinkedIn evidently hashed passwords using SHA-1 without using salting, a combination of weak crypto and poor methodology that made it fairly straightforward to crack the leaked password database. Tumblr, however adopted a more robust password storage methodology, both salting and hashing the passwords, making the data up for grabs essentially a list of email addresses.
The leak database has already been added to the ever-growing index on Troy Hunt’s Have I been pwned? website. Many of the leaked records reference deactivated but not deleted accounts, Hunt notes.
Dave Worrall, CTO of Secure Cloudlink, said that the incident is further evidence that passwords are long past their sell-by date.
“The Tumblr hack is just another example that demonstrates how flawed the password security system is. Only a few weeks ago we saw a similar incident with LinkedIn and chances are it will only be a very short time before we witness another,” Worrall commented. “Ultimately what is required is an entire shift in mind-set.”
“The password concept worked well in theory a decade ago, but as technology has advanced and our digital environment has evolved, they are simply not conducive to the modern world,” he concluded.
More security commentary on the incident from security pundits Graham Cluley here and David Bisson here. Bisson advisers social networking types to enable two-step verification to make it harder for hackers to hijack their online accounts.
The Yahoo!-owned social networking site itself said earlier this month that it would "requiring affected Tumblr users to set a new password". ®