Three years ago, before Yahoo paid too much money to acquire it, Tumblr got hacked. The precise extent of the hack was unclear, and Tumblr only found out about it this month, when it tersely announced a couple weeks ago “that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013.” They forced users to reset their passwords.
Now, the damage from the hack has come to light, and it is substantial. Security researcher Troy Hunt told Motherboard that more than 65 million user names and hashed and salted passwords were taken from the social network (“hashed” means the data had been protected by converting it into a string of characters; “salted” means it’d been protected by including extraneous data). This makes the passwords difficult to decode, though not impossible. The data set is much more useful if you only need a list of 65 million email addresses and their accompanying incomprehensible text strings.
Like the recent reveal that 117 million LinkedIn accounts were compromised in 2012, the leak is another in what is a new type of hack, in which hackers acquire millions of credentials, and then lay low and out of sight for years. In some way, keeping the breach a secret is as important as getting past security measures in the first place. Data like this is next to useless if places like Tumblr can immediately inform their users.