tumblr Data Breach
Tumblr Microblogging Platform Breach (2013): 65 Million User Email Addresses & Salted Passwords Exposed
Microblogging and social media platform.
Risk Interpretation
Exposure enables account takeover, harassment, deanonymization, and reputational harm. Historic posts and pseudonymous identities can also be linked back to real individuals.
Impact & Downstream Threats
In early 2013 Tumblr suffered a credential breach exposing approximately 65 million email addresses and passwords stored as salted SHA-1 hashes. The data did not surface publicly until 2016, when it was put up for sale on dark web marketplaces alongside similarly delayed breaches from LinkedIn, MySpace, and other major platforms. Tumblr, then operating under Yahoo's ownership, notified affected users and required password resets. The incident was part of the "mega-breach" wave of 2016 that revea
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
Tumblr suffered a credential breach in early 2013 that exposed approximately 65.5 million user accounts. The compromised data was not discovered publicly until 2016, when it appeared for sale on dark web marketplaces alongside similarly delayed breaches from LinkedIn and MySpace. The breach pathway involved a direct system compromise, though the precise technical method was not fully disclosed. The exposed data included email addresses and passwords. The passwords were stored as salted SHA-1 hashes, meaning they were not stored in plain text, but SHA-1 is a weak hashing standard by modern security standards and can be cracked with sufficient computing power. For Tumblr users, the platform's pseudonymous nature adds a distinct risk: exposed email addresses can be cross-referenced with other data to link anonymous online identities to real people, along with years of posts, communities, and personal expression tied to those accounts. Tumblr, operating under Yahoo's ownership at the time, notified affected users and required password resets following the data's public emergence in 2016. No significant regulatory action was publicly reported in connection with this breach. Anyone with a Tumblr account predating 2013 should treat their credentials as compromised, particularly if they reused the same password on other services, as credential stuffing attacks routinely exploit aged breach data.
About tumblr
Tumblr is a microblogging and social media platform built around short-form multimedia posts, creative expression, and pseudonymous community identity. It was founded in 2007 by David Karp, acquired by Yahoo in 2013 for $1.1 billion, passed to Verizon through its Yahoo acquisition in 2017, and sold to Automattic — the company behind WordPress.com — for a reported sum of less than $3 million in 2019. The platform continues to operate under Automattic as a niche creative and fandom community.
Why They Hold Your Data
Social publishing platforms collect user accounts, emails, usernames, passwords, messages, posts, social relationships, and engagement history across blogging and community workflows.
Recent Developments
Tumblr has operated under Automattic since 2019 with significantly reduced scale and cultural footprint from its peak. The platform introduced an adult content ban in December 2018 — prior to the Automattic acquisition — which triggered a large user exodus. Automattic CEO Matt Mullenweg has publicly acknowledged the platform is not profitable. Tumblr introduced a paid subscription tier in 2022. It remains active as a niche community platform but its days as a mainstream social network are long past.
Data Points Exposed
Canonical Fields
email_address, password
Dark Web Verification
- Dataset containing ~65.5M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: tumblr Data Breach;tumblr.com-2013
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of tumblr
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam