Any website is only so secure, and passwords and usernames being leaked to the public have become, unfortunately, a matter of course. Generally, websites quickly inform their users of breaches to encourage them to change their passwords, but that only works when the sites realize they’ve been hacked. Tumblr apparently didn’t for three years. And that’s just the tip of the iceberg.
The Tumblr Hack
The sheer scale of the Tumblr breach is staggering, as 65 million email addresses and passwords are out in the wild, with a database of the whole leak available for just $150 on various hacker sites. Allegedly, the breach happened just before the site was sold to Yahoo! for $1.1 billion in 2013. The good news is that the passwords are difficult, if not impossible, to recover. Tumblr turned the passwords into strings of digits with an algorithm, a technique called “hashing” that’s only reversible if you have that algorithm, and added several digits to those numbers, a technique called “salting.” That makes them a garbled mess unless you work for Tumblr.
That said, the email addresses used on the site weren’t subject to any such treatment, so Tumblr users will likely be on the receiving end of loads of spam. Still, anyone whose password may have been affected should change it immediately. You can find out if you were affected at Have I Been Pwned or wait for Tumblr to email you, as the blogging service has been contacting affected users. Despite the low chances of a Tumblr being stolen, however, there’s still the fact that not even the people who run the site knew that they’d lost millions of passwords and usernames. And it’s a problem that’s only getting worse.
Why Is This Information Only Coming Out Now?
Troy Hunt, who trains people for Microsoft and runs Have I Been Pwned, has recently noticed a troubling problem of what he calls “historical mega breaches.” These are massive hacks of websites, those with millions of emails and passwords, which are collected by hackers who then sit on the information for months or even, in some cases, years. Hunt notes a Fling.com breach from 2011 was only recently leaked and that the 2012 LinkedIn password breach compromised millions of records that turned up four years later. Hunt notes that there’s a Myspace breach that probably dates back even earlier and contains hundreds of millions of emails. The Have I Been Pwned database will triple in size due to this handful of leaks.
The problem, as Hunt points out, is that we have absolutely no idea why this data is turning up now, who procured it, or what else might be out there. It’s true that three years is practically eons on the internet and many of these passwords will be changed, but many people recycle a handful of passwords, and it’s only a matter of time before a breach leads to serious consequences. So what can we do to protect ourselves?
Give Your Password An Expiration Date
The most practical thing to do is simply change your passwords regularly, and use a strong password. Strong passwords use letters, numbers, and characters. Don’t use anything hackers can figure out about you from social media, like a pet name or your birthday. And, of course, don’t hand your password out. Even if you only tweak a strong password by changing a few digits or characters every six months, it’ll still likely be enough to keep you safe. Another useful factor is that sites like Tumblr are increasingly realizing that breaches are inevitable and making their databases hard to crack even if they are stolen.
If you get an email insisting your password has been stolen, make sure to check the email address closely and go to the website independently, not through any link the email provides you. Phishing attacks are fairly common in the wake of a database leak, and going to the site separately and changing your password there is the best way to protect yourself from becoming a victim. Finally, don’t use the same passwords for social media sites that you do for online banking or other sensitive data. With breaches still waiting to be revealed, aging passwords are the biggest danger.
Breaches are going to remain common. The best way to protect yourself is to assume that hacks will happen and act accordingly, whether you hear about them or not.