tumblr 2013 Data Breach

Tumblr Microblogging Platform Breach (2013): 65 Million User Email Addresses & Salted Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationSocialEmail AddressPassword
Low SeverityWebsite / service breach

Tumblr Microblogging Platform Breach (2013): 65 Million User Email Addresses & Salted Passwords Exposed

Microblogging and social media platform.

Verified by ObscureIQ Intelligence
12/100Breach Risk Index
5Data Value
10Market Recency
3620dSince Breach

Breach Intelligence Summary

Entity: tumblr · Actor: Unknown · Sources: 11 references
Attack: Misconfiguration
Profile: Platform · Blogging and social media · Content publishing platform · Global
Timeline: Breach (2013-02-28) · Indexed (May 29, 2016) · Year (2013)
Exposure: 65.5M records · 2 fields: Email Address, Password
Status: Confirmed

Executive Summary

Tumblr suffered a credential breach in early 2013 that exposed approximately 65.5 million user accounts. The compromised data was not discovered publicly until 2016, when it appeared for sale on dark web marketplaces alongside similarly delayed breaches from LinkedIn and MySpace. The breach pathway involved a direct system compromise, though the precise technical method was not fully disclosed. The exposed data included email addresses and passwords. The passwords were stored as salted SHA-1 hashes, meaning they were not stored in plain text, but SHA-1 is a weak hashing standard by modern security standards and can be cracked with sufficient computing power. For Tumblr users, the platform's pseudonymous nature adds a distinct risk: exposed email addresses can be cross-referenced with other data to link anonymous online identities to real people, along with years of posts, communities, and personal expression tied to those accounts. Tumblr, operating under Yahoo's ownership at the time, notified affected users and required password resets following the data's public emergence in 2016. No significant regulatory action was publicly reported in connection with this breach. Anyone with a Tumblr account predating 2013 should treat their credentials as compromised, particularly if they reused the same password on other services, as credential stuffing attacks routinely exploit aged breach data.

ObscureIQ assessment: Exposure enables account takeover, harassment, deanonymization, and reputational harm. Historic posts and pseudonymous identities can also be linked back to real individuals.

Breach Impact

In early 2013 Tumblr suffered a credential breach exposing approximately 65 million email addresses and passwords stored as salted SHA-1 hashes. The data did not surface publicly until 2016, when it was put up for sale on dark web marketplaces alongside similarly delayed breaches from LinkedIn, MySpace, and other major platforms. Tumblr, then operating under Yahoo's ownership, notified affected users and required password resets. The incident was part of the "mega-breach" wave of 2016 that revealed how many large credential databases from the early 2010s had been quietly circulating among criminal networks for years before becoming public knowledge.

About tumblr

Tumblr is a microblogging and social media platform built around short-form multimedia posts, creative expression, and pseudonymous community identity. It was founded in 2007 by David Karp, acquired by Yahoo in 2013 for $1.1 billion, passed to Verizon through its Yahoo acquisition in 2017, and sold to Automattic — the company behind WordPress.com — for a reported sum of less than $3 million in 2019. The platform continues to operate under Automattic as a niche creative and fandom community.

Why They Hold Your Data

Social publishing platforms collect user accounts, emails, usernames, passwords, messages, posts, social relationships, and engagement history across blogging and community workflows.

Recent Developments

Tumblr has operated under Automattic since 2019 with significantly reduced scale and cultural footprint from its peak. The platform introduced an adult content ban in December 2018 — prior to the Automattic acquisition — which triggered a large user exodus. Automattic CEO Matt Mullenweg has publicly acknowledged the platform is not profitable. Tumblr introduced a paid subscription tier in 2022. It remains active as a niche community platform but its days as a mainstream social network are long past.

Data Points Exposed

2 verified field types
Email Address
Password Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Credential stuffing & account takeover

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the tumblr breach?

Tumblr suffered a credential breach in early 2013 that exposed approximately 65.5 million user accounts. The compromised data was not discovered publicly until 2016, when it appeared for sale on dark web marketplaces alongside similarly delayed breaches from LinkedIn and MySpace. The breach pathway…

What data was exposed?

Verified fields include Email Address, Password.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachAware
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
HackNotice.com
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
LeakBase.pw
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation