What happened
According to public breach records, the tumblr data breach on February 28, 2013 is reported to have exposed the personal information of 65,469,298 accounts.
In early 2013, tumblr suffered a data breach which resulted in the exposure of over 65 million accounts. The data was later put up for sale on a dark market website and included email addresses and passwords stored as salted SHA1 hashes.
Passwords in this breach were reportedly stored as SHA-1 hashes.
In early 2013, a third party gained unauthorized access to Tumblr account data, but the incident only came to light in May 2016 when Tumblr disclosed it after the stolen set surfaced for sale on a darknet marketplace ("The Real Deal") by a seller using the alias "peace_of_mind." The exposed data consisted of email addresses and passwords stored as salted SHA1 hashes, which made them comparatively difficult to crack. Security researcher Troy Hunt analyzed the leaked data and counted 65,469,298 unique records; Tumblr reset affected users' passwords as a precaution and said it had found no evidence the data was used to access accounts. ["Change your Tumblr password immediately if you have not since 2016, and replace any reused password on other accounts that shared the same email/password combination.", "Enable two-factor authentication on Tumblr and other important accounts so a leaked password alone cannot grant access.", "Use a password manager to generate unique passwords per site, since the salted-SHA1 hashes in this set can still be cracked offline for weak or common passwords.", "Stay alert for targeted phishing emails sent to the exposed address that reference Tumblr or attempt to harvest new credentials."]
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | tumblr |
| Date | February 28, 2013 |
| Accounts affected | 65,469,298 |
| Domain | tumblr.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by tumblr; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Tumblr password immediately if you have not since 2016, and replace any reused password on other accounts that shared the same email/password combination.
- Enable two-factor authentication on Tumblr and other important accounts so a leaked password alone cannot grant access.
- Use a password manager to generate unique passwords per site, since the salted-SHA1 hashes in this set can still be cracked offline for weak or common passwords.
- Watch for targeted phishing emails sent to the exposed address that reference Tumblr or attempt to harvest new credentials.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →