In a statement to Motherboard, , the same hacker behind the sale of stolen Linked In credentials referred to the advertised Tumblr database simply as a “list of emails”.
Tumblr was noted to have used SHA1 to hash the passwords, aside from “salting” them, thus making it difficult for hackers to crack.
The same hacker in question, Peace, claimed ownership to a vast database of My Space login details totaling to 360 million, which would essentially be one of the biggest password leaks known to date.
While the date when the breach took place has not been determined yet, it is a known fact that the stolen credentials may have been compromised and mined long before My Space has waned in its popularity.
Cory Scott, Chief Information Security Officer of the 14 year-old business-oriented social networking site, was quick to address the incident in an official blog entry saying, “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords.
We have no indication that this is as a result of a new security breach.” Days before the resurfacing of stolen Linked In credentials in the underground market, a May 12 bulletin from microblogging site Tumblr divulged details of an unauthorized third-party access to a “set of Tumblr user email addresses with salted and hashed passwords from early 2013”.
Using this I can now message all of your friends and family members.” The bad news, according to the IC3, is that cyber extortionists quickly jumped on the wave of the disconcerting news of the massive data dumps claiming that names, phone numbers, addresses, credit card information and other personal details have befallen on their hands standing the chance of exposure to the recipient’s family, friends, and even social media contacts.
The good news, cleverly put by the scammers, comes after settling the ransom that ranges from 2 to 5 Bitcoins, or an amount equivalent to 250- 1,200 USD in exchange for continuous discretion of said ruinous information.
I have also used your user profile to find your social media accounts.
A different extortion email says, “We have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions.
Now for the good news, you can easily stop this letter from being mailed by sending 2 bitcoins to the following address.” Others go the length of threatening recipients of the possible financial and emotional strain that could come from the disclosure of sensitive information to the target’s contacts—bargaining that the continued secrecy of collected information once payment is made is more convenient than potential court proceedings and social embarrassment brought by the disclosure of information that could potentially ruin the reputation of the victim.
To mitigate any further danger brought by the breach, My Space has invalidated all user passwords of accounts made before June 2013 on the older platform used by the site who are believed to be directly affected by the breach.
Returning users will then be prompted to verify their respective accounts and to reset password.