
65M Tumblr Passwords for Sale on TheRealDeal - e-sushi
https://electronic-sushi.tumblr.com/post/145210603436/65-million-tumblr-passwords-for-sale-on
======
giancarlostoro
As shared in the link, if you want to check if your Tumblr account was
compromised check out:

[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
Kequc
It's amazing. Just about every single one of my email addresses have been
compromised in one way or another, how could it be there are so many websites
with such bad security.

~~~
cloudjacker
That site is amazing, I can look up anyone's email address and see what hacked
communities they are a part of

~~~
gambler
Unless they use different emails for different websites. This sounds extreme,
but you just pointed out one reason that might be a good idea.

~~~
cm2187
And other reasons include:

Knowing who leaked your email or sold it to spammers

Being able to stop spam by deleting the email

You could even consider binding the email to a domain so the address would
only accept emails from the domain you gave this email address.

You don't really want different mailboxes, you want one mailbox with different
aliases. An alias becomes a "communication token" which can be revoked, very
much like when paypal gives a payment authorisation token to an ecommerce
website. If that token gets leaked, no big deal, no one else can use it. A
single email address is more like a credit card number.

~~~
imtringued
Try <username>+<per_site_suffix>@gmail.com and then set up a filter for every
suffix.

The per_site_suffix can be anything you want.

~~~
cm2187
Except that everyone does that, I am sure spammers very well know that suffix
trick.

------
an_ko
The primary source (of Tumblr confirming the leak) wasn't linked from the
article (Tumblr Staff Blog, May 12th 2016):
[https://staff.tumblr.com/post/144263069415](https://staff.tumblr.com/post/144263069415)

------
therealmarv
It's a shame Tumblr and Yahoo... we are informed 3 (!!!) years after this
breach. Unbelievable.

------
martin-adams
Just looking at the haveibeenpwned.com it links to the cryptically poor Adobe
password were. I am fascinated by how popular certain passwords are:
[http://stricture-group.com/files/adobe-top100.txt](http://stricture-
group.com/files/adobe-top100.txt)

It appears some random words aren't necessarily random. Words like 'shadow'
and '1q2w3e4r'.

Fascinating!

~~~
ben_jones
You can probably get even more correlation if you account for "l33tspeak" i.e.
swapping letters for numbers that look like them.

    
    
        password => p455w0rd
        password => passw0rd

~~~
MichaelGG
Don't forget adding ! or 101 and so on to the end of a password and
capitalizing the first letter. "Password1!" is likely to pass complexity and
length requirements quite well.

------
alanh
\- From the 2013 data breach

\- HaveIBeenPwnd contains the data on sale here

~~~
giancarlostoro
If you don't know what HaveIBeenPwnd is, you type in your email to check if it
is involved in any data breaches online. They don't give you the actual data
back.

------
Navarr
Hashed and Salted sha1 should take basically no time to crack at all.

~~~
tonmoy
This was sarcasm right? In all seriousness though, I think titles like
"passwords stolen" are a little misleading. Article titles should either be
"hashed passwords stolen" or "plaintext passwords stolen" IMO.

~~~
rudolf0
No, he's absolutely right. Single-iteration SHA-1 is extremely inappropriate
for password hashing, and all salting does is prevent rainbow table attacks
and instant reversal of duplicate hashes. It does not slow down non-
precomputed attacks one bit.

It's much better than plaintext, but essentially only a little bit better than
unsalted MD5.

I'm really surprised Tumblr would use such an awful password storage scheme as
late as 2013. I thought they invested a lot into security?

~~~
vonmoltke
From the perspective of trying to crack a single user's account the salt does
not slow down non-precomputed attacks at all. From the perspective of trying
to crack the entire database, or a significant portion of it, it multiples the
work required by N (where N is the desired number of cracks to perform).

~~~
rudolf0
I mean, it depends how you look at it.

I consider precomputed attacks a special case of these attacks, sort of. In
the security world, most password-predicting attacks are linear with respect
to the amount of accounts you're trying to get passwords for.

It's true that it will take a lot of hardware to efficiently attack all 65
million passwords. But in my field, big dumps like these are a godsend when
doing a pentest.

Looking to compromise a sysadmin's account? Search his/her emails and aliases
in as many DB dumps as you can find, then expend a lot of resources cracking
that one hash. If it's just a SHA-1 hash and the password isn't very strong,
you won't have much trouble.

Also a risk for people with vendettas against specific tumblr users (which, to
my understanding, is a big issue on tumblr).

------
drhayes9
Now is a great time to add two-factor authentication to your account after you
change your password.

~~~
1024core
Problem with 2FA is: what happens when you're traveling internationally and
don't have access to your phone number, and need to look up your bank balance
or something where you've employed 2FA?

~~~
oddevan
One solution is to use Google Authenticator (or a similar compatible app) that
generates the codes on-device so no data/SMS connection is needed.

~~~
gambler
You still need your phone for that. If you're out of battery charge, you're
temporarily locked out. If you loose your phone, you're locked out until you
recover the number. If you can't recover the number for some reason, then
what?

People downplay the probability and importance of these issues, but the
situations where you loose your phone are often the situations where you need
access to your online accounts. One such situation can do far more damage than
all the hacks combined. (For example, someone steals your backpack with your
phone and wallet. Horror scenario: someone steals your backpack with your
phone and wallet in a foreign country.)

In short, loss of access must be considered as a tradeoff.

Loosing anonymity due to phone-based 2FA is another issue that never seems to
be considered in these discussions.

Finally, phone-based 2FA discourages you from splitting your accounts. (It's a
bit of a hassle even with one email. Imagine managing 5 or 6.)

~~~
epmatsw
2FA isn't limited to a single device. With 1Password, a TOTP code is available
on my laptop, on my phone, on my watch, via an encrypted backup, etc. If you
have access to a computer, you can access your second factor. That's not even
counting paper backups as others have mentioned.

Not sure how anonymity factors in here. How can typing a number into your
phone to set up TOTP then typing the resulting numbers back into your already-
authenticated account deanonymize you?

Finally, yes, adding more security is a hassle. But if you're willing to add 5
seconds to your login on one account, I don't see why you'd be super against
doing that for multiple accounts.

------
ohitsdom
Link to change your Tumblr password:
[https://www.tumblr.com/forgot_password](https://www.tumblr.com/forgot_password)

~~~
Spooks
also, if for some bad reason your Tumblr password is the same as your email,
make sure you change that as well. (as they have emails of the accounts)

------
whatgoodisaroad
Thank goodness 2013 was before I had to change my Tumblr password (and
activate 2fa) because of Heartbleed.

------
RamenJunkie_
These Tumblr Passwords are probably useless. Last time I logged into both my
Tumblr accounts there was a required Password reset.

------
thesimpsons1022
I wish i could find my hash because I used tumblr back then but have deleted
my account since then. I just want to know if it is a password i'm still using
or not.

~~~
rvense
Been in this situation a few times now. It's dawning on me that this is why
they say not to use the same password in more places..

~~~
thesimpsons1022
well I have a lot of accounts I don't care much about, but it's still nice to
know. the ones I do care about: Amazon, banking, Facebook etc do you have
unique passwords.

------
thesimpsons1022
just curious. from 1 to Snowden how illegal is it to buy or access this
dataset?

------
nolepointer
Wow, whoever is responsible for this is a real shitlord!

