LinkedIn IDs had been traded online.
Tumblr initially announced on 12 May that its security had been compromised in 2013, but would not say how many users were affected.
Now a report by data breach awareness site Have I Been Pwned (HIBP) claims that 65,469,298 email addresses and passwords were stolen.
If confirmed, HIBP said that would make it the third biggest ever security breach. Tumblr has not commented on the report.
In a statement issued at the time of the incident, the company said the passwords were protected by a process called “salted and hashing”, which involves turning the password into a string of digits. But it still advised users to change their logins.
Website Motherboard reported that users’ details were being offered for sale on the internet and dark web. That means that even if your account can’t be accessed, you could be at risk of receiving spam and phishing emails.
Motherboard reported that the database is being sold by a hacker called “Peace” for just $150 (£103). It said the low price reflected the difficulty of trying to crack users’ passwords.
The security lapse is the third to be revealed in recent weeks after breaches at LinkedIn and MySpace.
Earlier this month the same hacker claimed to have more than 100 million LinkedIn logins after an attack on the site in 2012 and 360 million MySpace email addresses and passwords.
Lisa Baergen, Director at NuData Security, commenting on the breaches: “I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire. No matter how long it takes to come out, the bottom line is that you have to stop thinking “ what IF” and accepting it should be seen as “ WHEN”…
“Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time. These credentials are likely sold in packages on the dark web and compiled out of solid profiles of your online identity. Fraudsters are learning that information stolen from various breaches can create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more fraud can take place.
“As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually a 10% month-over-month increase in new account fraud.
“Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and trust it is not the hacker using our identity information online.
“User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the identity of the user behind the device.
“So, good luck hackers – you can keep stealing our data, but we are going to make this data invaluable to you, and you can’t steal my behaviours! “