The social justice warriors and “other kin” who use the Yahoo, Inc.-owned blogging site Tumblr have been pwned with a hacker releasing stolen records, including usernames and passwords, on the dark web.

News of a potential hack of Tumblr first emerged in mid May when Yahoo confirmed the site had been hacked, but the hack itself had taken place in 2013 prior to them acquiring the service.

What wasn’t previously known was exactly how many records were accessed, but a new report from data breach awareness site Have I Been Pwned puts the figure at 65,469,298 email addresses and passwords.

There is some contention however as to quality of the data, and how accessible it is.

According to Hackread the passwords that are contained in the data leak are not in plain text, but rather are hashed, a form in which the passwords are put into random digits and numbers; further it’s claimed Tumblr had used the SHA1 method to hash their passwords along with salting them, making it hard for hackers to go through the passwords and crack them easily.

IT Pro notes that the data appears to include many accounts that were deactivated at the time of the attack, as the email addresses begin with “deactivated” followed by a date before the email address proper; even if the passwords in these cases were cracked, they would not be able to be used to access Tumblr.

Expert view

While we always preach practicing safe internet, SiliconANGLE spoke to Mike Raggo, Chief Research Scientist at social media security company ZeroFOX, Inc. about the Tumblr hack, and the hack of MySpace, which is believed to have been undertaken by the same hacker.

“As these accounts are compromised, users of these platforms can expect phishing campaigns to follow as a method of exploiting additional accounts or targeting other data on the computers and mobile devices used to access those accounts,” Ragoo explained.

“Users should not only reset their passwords using strong passwords as well as two-factor authentication when possible, but be particularly watchful of reviewing a social media link before you click on it to avoid being a victim of further attacks. This might also be a good time to revisit your bio and reconsider how much personal information you share such as your birthdate, home address, phone number, and more.”

Presuming the numbers are correct, the Tumblr hack is now the third largest recorded, behind Adobe with 152 million accounts, and MySpace on 427 million.

Image credit: Tumblr/unknown