Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace (2024)

Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace (1)

byDarlene Storm

news analysis

May 30, 20163 mins

CybercrimeData and Information SecurityPrivacy

That "set" of accounts compromised in the Tumblr hack was actually 65 million. Have I Been Pwned added another 40 million from the 'dating' hookup site Fling. The MySpace hack had more than 360 million email addresses in it.

After signing up for Have I Been Pwned? when Troy Hunt started the site in 2013, I had received no notifications about any account being compromised in a data breach. But then whammo! I get two notifications for two separate breaches in a relatively short time. The one today was about Tumblr, an account I barely remember even signing up for.

Over 65 million Tumblr accounts compromised

Tumblr claimed “a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013.” The reality, according to the HIBP notification, is that 65,469,298 people were pwned in the Tumblr data breach from February 2013; the compromised data included email addresses and passwords.

In other words, dumped data from another old hack came out of nowhere and jumped to number three inHIBP’stop 10 breaches.

A hacker going by “peace_of_mind” was selling the Tumblr data on the darknet marketplace The Real Deal.

Peace told Motherboard that Tumblr had used SHA1 to hash the passwords and also used salt, making them hard to crack. The data is “essentially just a list of emails” and “he was only able to sell it for $150.”

Over 40 million Fling accounts compromised

Before adding the Tumblr accounts to HIBP, security researcher Troy Hunt reported that he had just added 40,767,652 compromised records from Fling, which is not safe for workor around children if you click on it. The Fling breach dated back to 2011.

“Peace” is also selling the compromised account data from Fling, LinkedIn, Tumblr and MySpace.

Data from mega breaches no longer ‘dormant’

The LinkedIn hack of 2012 supposedly exposed 6.2 million password hashes, but that ended up missing the mark by a tremendous amount since a hacker was selling 167 million LinkedIn user records. 117 million had passwords, which were stored in SHA1 with no salting.

Then there’s more than 65 million accounts compromised from Tumblr and over 40 million from Fling. “This data has been lying dormant (or at least out of public sight) for long periods of time,” Hunt wrote.

Although the total records added to HIBP in the last six days is 269 million, Hunt said all of those latest hacks will “pale in comparison” once he gets hold of and adds the compromised MySpace records.

MySpace hack

The MySpace hack contained over 360 million email addresses in it.

LeakedSource reported the “data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password.”

The data, which had been provided by “Tessa88,” included 427,484,128 total passwords that were stored in SHA1 with no salting. Sadly, “very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character.” MySpace had chosen not to respond when contacted, so LeakedSource has included a list of top passwords as well as the top email domains.

LeakedSource, which has accumulated over 1.6 billion records, has search capabilities. If you find your personal information in the leaked databases, you can contact LeakedSource and ask for it to be “removed free of charge.”

This “trend” of data being sold from really old hacks has Hunt “really curious.” He wrote, “Even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”

Related content

  • news analysisMicrosoft delivers a light Patch Tuesday for June This month's Patch Tuesday release included 49 updates, but no major zero-day flaws.By Greg LambertJun 14, 20247 minsWindows SecurityMicrosoftWindows
  • news analysisEverything Apple Intelligence will do for you (so far) These are the tools and services Apple's new Apple Intelligence will boost — with more to come.By Jonny EvansJun 14, 20246 minsAppleGenerative AIMobile
  • how-toDownload our AI as a service (AIaaS) enterprise buyer’s guide AI as a service (AIaaS) provides customers with cloud-based access for integrating and using AI capabilities in their projects or applications without needing to build and maintain their own AI infrastructure. Here are your options.By Andy PatrizioJun 14, 20241 minEnterprise Buyer’s GuidesCloud Computing
  • newsMicrosoft delays Recall launch amid privacy concerns The recently announced Windows feature, which takes regular screenshots of a user’s PC activities, will be available first via Windows Insider instead of a wider rollout to Copilot+ devices.By Matthew FinneganJun 14, 20243 minsData PrivacyMicrosoftWindows Security


From our editors straight to your inbox

Get started by entering your email address below.

Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace (2024)


Top Articles
Latest Posts
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 6341

Rating: 4.8 / 5 (78 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.