Yahoo has forced a password reset on Tumblr account holders after it discovered that someone had accessed email addresses, and salted and hashed passwords from early 2013.
A Tumblr spokesperson would not disclose who had accessed the data, where it was found, nor how many email addresses were impacted and how many of those are still active accounts.
The spokesperson also would not confirm whether Tumblr had been breached.
“This data is 3 years old, we don’t have forensic information from that time,” The spokesperson told Threatpost via email. “Most of Tumblr’s systems from that time have been retired, and important credentials have been rotated.”
Yahoo, which acquired Tumblr for $1.1 billion in 2013, disclosed the situation Thursday on its Yahoo Paranoids blog.
“As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts,” Yahoo said. “As a precaution, however, we will be requiring affected Tumblr users to set a new password.”
Tumblr said it would not comment on where it found the email addresses and passwords for fear of providing too much visibility into its investigatory methods.
“We have analyzed the set of Tumblr data, and have no reason to believe it was used to access accounts. Due to account and password reuse, we see a regular volume of attempted unauthorized activity on accounts,” Tumblr’s spokesperson said. “As noted in our blog, these passwords were hashed. To be more specific, the passwords were salted and hashed. We have no reason to believe that this information was used to access Tumblr accounts.”
Tumblr does offer two-factor authentication for its account holders, and does have a dedicated security team inside of Yahoo.
“We have a comprehensive program for protecting our users that includes working with third parties to monitor for information of this nature, including law enforcement, private entities, and partners in our industry,” Tumblr’s spokesperson said.
Yahoo has been vocal about the progression of its security program, starting with a post-Snowden ramp-up of its encryption efforts, the launch of a bug bounty in 2013 and the hiring of high-profile CISOs Alex Stamos and current chief Bob Lord, formerly of Twitter and Rapid7.
Late last year, Yahoo announced a new initiative where it would begin warning users when it believed accounts were involved in state-sponsored targeted attacks. The move came of the heels of similar announcements from Facebook and Twitter.
In March, Yahoo announced the availability of a stable version of its Account Key mechanism, a two-step authentication feature for mobile apps that it hopes would eventually eliminate passwords.