The hack of social media accounts continues this week as Tumblr usernames and passwords goes up for sale on a Tor dark market website called TheRealDeal.
A Tumblr security note indicated attackers had obtained user e-mail addresses as well as salted and hashed passwords. The attack, which occurred in early 2013 before the company was acquired by Yahoo, was just recently discovered.
Tumblr users are being advised to change their passwords.
Tumblr is not the only victim, however. It has recently come to light that Myspace was the victim of hackers as well with some 360 million accounts compromised. User login data from a number of accounts created prior to June 11, 2013 on the old Myspace platform was stolen.
“As part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security. The compromised data is related to the period before those measures were implemented,” a Myspace blog post reads. “We are currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that “hashes” a password or passphrase) to store passwords.”
Myspace has invalidated all user passwords for the affected accounts. Any of these users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions at https://myspace.com/forgotpassword
Both data breaches are thought to be the work of a Russian cyber-hacker known as ‘Peace.’ This person has also claimed responsibility for the LinkedIn hack.
The alleged attacker told LeakedSource that the data is all from a past breaches.
Peace is also linked to the 2012 LinkedIn data breach that saw 167 million users affected. Of those 167 million breached account, 117 million included e-mails and encrypted passwords. Peace told Motherboard two weeks ago that he is selling the data he filched on the dark Web for five bitcoin, which amounts to just under $2,300.