Tumblr Breach Exposed More Than 65 Million Accounts
Tumblr suffered a major breach that exposed data from more than 65 million user accounts, according to breach tracking and reporting tied to the incident. The compromised records included email addresses and passwords, with the passwords stored as salted SHA-1 hashes, indicating attackers obtained credential data that could still pose risk if reused elsewhere.
Subsequent analysis and reporting said the stolen database was later circulated and offered for sale on a dark market site, turning the intrusion into a broader credential exposure event. The scale of the breach placed Tumblr among the larger consumer platform compromises, and the publication of the dataset increased the likelihood of credential stuffing and account takeover attempts against affected users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Stolen Tumblr dataset is offered for sale on a dark market
After the breach, the stolen Tumblr dataset was offered for sale on a dark market website, indicating criminal distribution of the exposed account data. Reporting and analysis identified the dataset as containing roughly 65 to 68 million passwords.
Tumblr suffers breach exposing over 65 million accounts
Tumblr experienced a major data breach in early 2013 that exposed more than 65 million user accounts. The compromised data included email addresses and passwords stored as salted SHA1 hashes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Instagram Data Breach Exposes Personal Information of 17.5 Million Users
A significant data breach has exposed the personal information of approximately 17.5 million Instagram users, with details including usernames, email addresses, phone numbers, and physical addresses now reportedly available for sale on the dark web. The breach, identified by Malwarebytes during routine dark web monitoring, has led to a surge in password reset emails sent to affected users and raised concerns about the potential for phishing, account takeovers, and more severe real-world threats such as stalking and extortion. Security researchers note that the leaked data appears to be more comprehensive than previous incidents, with attackers possibly correlating Instagram user IDs with external data sources to link online identities to real-world addresses. The compromised database, described as a "doxxing kit," is being sold in batches on cybercrime forums, increasing the risk of targeted attacks against those affected. While Meta has not yet issued an official statement regarding the incident, security experts warn that the exposure of physical addresses alongside digital identifiers significantly elevates the privacy and safety risks for users. The breach underscores the importance of enabling two-factor authentication and monitoring for suspicious account activity, as the stolen data is actively circulating and may be used for a range of malicious purposes beyond typical credential abuse.
Mar 21, 2026
Exposed Elasticsearch Database Leaked 24 Billion Stolen Credentials
Researchers uncovered an exposed **Elasticsearch** database containing roughly **24 billion** plaintext credential records, including usernames, email addresses, passwords, and associated login URLs. The dataset was estimated at more than **8 terabytes** and appeared to aggregate data from **36 sources**, including infostealer logs, Telegram channels, prior breach collections, local database dumps, and exports from live servers. Investigators said the database was publicly accessible before being taken offline, but the owner could not be identified. The exposed records create a significant risk of **credential stuffing**, account takeover, and broader identity abuse at global scale, especially for users who do not use **multi-factor authentication**. Researchers reported that more than 30 of the sources were linked to Telegram channels and that **22.6 billion** entries were broadly labeled as “collections,” while signs of regular updates suggested the dataset was being actively curated. They also found records referencing **CVE** identifiers, GitHub links, breach news, and social media posts about incidents, indicating the operator may have been monitoring the cybersecurity landscape while maintaining the credential trove.
Jun 19, 2026