14 DAY TRIAL // Starting yesterday, Tumblr began prompting users to reset their passwords, saying that a third party had come into the possession of old Tumblr login information.
The company stated that its engineers became aware that someone got hold of Tumbler user emails, along with password strings in salted and hashed format.
Tumblr user data is old, from 2013
Yahoo claims the data is old, originating from 2013, before they acquired Tumblr from their previous owners. However, the company didn't specify if the data came from a misplaced backup or a previous data breach.
Further, Yahoo did not mention how many users were affected. Logging into one of Softpedia's Tumblr test accounts, we were prompted to change our password. So was your reporter when logging into his personal account.
Other accounts we tested did not get a prompt to change their password, so it appears that only a portion of the 550 million Tumblr users are affected. Obviously, all user accounts created after 2013 are not in any danger.
No attempts were made to use the compromised user accounts
Tumblr security staff say they haven't seen any signs of anyone trying to use the leaked data to sign into compromised accounts.
At the end of April, Spotify faced a similar incident, when hundreds of user accounts, complete with access credentials, were leaked on the Web. Spotify denied any massive data breach, blaming individual users who reused their Spotify passwords on other websites.
Below is Yahoo's full security announcement regarding the recent user info leak.
“ We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password. ”