Knowledge Base::DBSA:2016-05301

From Digibase Knowledge Base
Revision as of 18:03, 30 May 2016 by Kradorex Xeron (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Contents

Digibase Security Advisory - Tumblr Compromise

Keywords: Tumblr, compromise, passwords, email addresses

DBSA ID: 2016-05301

Regarding: Tumblr Compromise

Writeup: Kradorex Xeron (talk) 17:48, 30 May 2016 (EDT)

Date: 2016 05 30

Last Modified: 20160530180342 by Kradorex Xeron

Who should take note: All Tumblr Users

Classification

Priority: MODERATE

Rationale: Users need to ensure their information is secured.

Severity: HIGH

Rationale: Usernames, salted+hashed passwords, email addresses among other information has reportedly been compromised.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: 65 Million records are reported to have been compromised.

Description

Tumblr is a social networking site targetted toward sharing various kinds of content between users. On 30 May 2016, it has been reported that in 2013 that there was a compromise of Tumblr's systems resulting in 65 million email addresses and passwords being compromised. Tumblr has reported that the passwords were stored in a hashed and salted manner, a technique that resists rainbow table attacks where a dictionary of suspected hashed passwords are compared to the database without requiring brute force techniques.

Mitigation/Solution

Users should change their Tumblr passwords on a rolling basis to temporary passwords, once immediately and then again after 2 weeks users may reset to a more longterm password. This method ensures that the service has fixed the vulnerability before one becomes too reliant upon a new password. Users should also ensure that their password is not shared among other sites, to which those passwords that do will also need to be reset in a single change.

Users should also be highly suspicious of any contacts via email and use non-email methods to verify legitimacy of such email. Password resets should only be performed through known good links.

References

Personal tools