Tumblr Accounts Must Reset Passwords

Yahoo is forcing a password reset on Tumblr accounts after a cache of email addresses and salted and hashed passwords from 2013 were discovered in the wild.

Yahoo has forced a password reset on Tumblr account holders after it discovered that someone had accessed email addresses, and salted and hashed passwords from early 2013.

A Tumblr spokesperson would not disclose who had accessed the data, where it was found, nor how many email addresses were impacted and how many of those are still active accounts.

The spokesperson also would not confirm whether Tumblr had been breached.

“This data is 3 years old, we don’t have forensic information from that time,” The spokesperson told Threatpost via email. “Most of Tumblr’s systems from that time have been retired, and important credentials have been rotated.”

Yahoo, which acquired Tumblr for $1.1 billion in 2013, disclosed the situation Thursday on its Yahoo Paranoids blog.

“As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts,” Yahoo said. “As a precaution, however, we will be requiring affected Tumblr users to set a new password.”

Tumblr said it would not comment on where it found the email addresses and passwords for fear of providing too much visibility into its investigatory methods.

“We have analyzed the set of Tumblr data, and have no reason to believe it was used to access accounts. Due to account and password reuse, we see a regular volume of attempted unauthorized activity on accounts,” Tumblr’s spokesperson said. “As noted in our blog, these passwords were hashed.  To be more specific, the passwords were salted and hashed. We have no reason to believe that this information was used to access Tumblr accounts.”

Tumblr does offer two-factor authentication for its account holders, and does have a dedicated security team inside of Yahoo.

“We have a comprehensive program for protecting our users that includes working with third parties to monitor for information of this nature, including law enforcement, private entities, and partners in our industry,” Tumblr’s spokesperson said.

Yahoo has been vocal about the progression of its security program, starting with a post-Snowden ramp-up of its encryption efforts, the launch of a bug bounty in 2013 and the hiring of high-profile CISOs Alex Stamos and current chief Bob Lord, formerly of Twitter and Rapid7.

Late last year, Yahoo announced a new initiative where it would begin warning users when it believed accounts were involved in state-sponsored targeted attacks. The move came of the heels of similar announcements from Facebook and Twitter.

In March, Yahoo announced the availability of a stable version of its Account Key mechanism, a two-step authentication feature for mobile apps that it hopes would eventually eliminate passwords.

Suggested articles

Five Password Tips for Securing the New WFH Normal

Five Password Tips for Securing the New WFH Normal

Darren James, product specialist with Specops Software, warned that password resets, for example, are a particularly vexing issue for sysadmins, as they can often lockout end-users from their accounts.


  • Please change your password to use your name on

    I hate Yahoo and their awful security making me change passwords every month, verifying my cellphone all year, making me set up security questions, a second e-mail, locking me out of my own accounts... Since they will be hacked again pretty soon I might aswell delete my Yahoo accounts
  • Tumblr User on

    I HAVE A SOLUTION FOR THOSE WHO CAN'T ACCESS THE EMAIL TO RESET THE PASSWORD! grin emoticon if the email was deactivated, you can reactivate OR, you can just re create the email. I used a hotmail email address and I opened it specifically for tumblr purposes so naturally I didn't log into it ever, so hotmail deleted it and i couldn't reactivate it because i hadn't logged in for over a year. So I just ended up making a "new" email address, using the same name ____________@hotmail.com and had tumblr send the email to it! Woohoo! I'm back!
    • Anonymous on

      Can you explain this in a little greater detail? I am having this exact problem. I cannot access the email because it was deactivated long ago.
    • KarmenSandiego on

      I did the same thing! But with Aol.. Will this really work? In so desperate, my blog was my LIFE.
    • Ceara on

      THNK U SO MUCH!!! Saved my life!! Had tumblr for so long and was crying because I thought it would be gone forever
  • chickennuggets on

    i thought i was the only one who wanted to throw my gadgets when tumblr forced me to change my pw lmao
  • RS on

    My email is still active but I still have yet to receive a password reset email from Tumblr after trying several times. My friends can no longer see my new posts but my app on my iPhone still allows me to post and use the site like normal. Please help, my account is 6 years old and I will be devastated if I can no longer access it :C
  • Celeste on

    Tumblr sucks. i had a blog going with almost 4000 people following me and i was having so much fun and i put a ton of time into it, but i forgot to update my email to my current one, and now i cant access it at all and i lost my blog. Thanks tumblr.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.