More than 65 million Tumblr accounts from a 2013 breach were spotted for sale on the dark web.
Security researcher and Haveibeenpwned owner Troy Hunt recently found a database containing the stolen account information for sale on a dark web market site and listed the breach on his own site as the third largest ever.
A hacker known as Peace was selling the database for $150, according to Vice's Motherboard. Peace told Motherboard the price is so low because the salted passwords are very difficult to crack however, Hunt told the publication roughly half of the passwords will likely be cracked due to weak password protections that were used at the time.
On May 12, Tumblr notified users of the breach that compromised user email addresses with salted and hashed passwords from early 2013 and told users there is no reason to believe that the information was used to access their Tumblr accounts.
Although the breach isn't as bad as other major breaches, it has the potential to be dangerous for users who re-use passwords, Kaspersky Lab Senior Security Researcher Brian Bartholomew told SCMagazine.com via email.
“If you were to think about how many users from Tumblr have Apple cloud accounts, Twitter accounts, Gmail or other online mail accounts, etc. the potential risk is high for this breach to bleed over into other stories down the road,” he said. “These credentials could be used by criminals to access anything from bank accounts, to mail accounts, to other online systems that may house personal data / pictures / etc.”
Bartholomew also said the credentials could be used to carry out phishing attacks, targeting and extortion.