The full extent of Tumblr’s 2013 hack has finally been revealed – with more than 65 million accounts thought to have been impacted.

Hackers targeted Tumblr some three years ago, eventually getting access to email addresses with salted and hashed passwords. At the time Tumblr admitted that there had been a breach, but was noticeably scant on figures. The company offered advice for anyone thought to have been impacted (even though the passwords were still encrypted), though didn’t say how many people it could have been.

Now it seems there was a good reason for keeping quiet, as it was actually more than 65 million accounts that were put at risk – or 65,469,298 people, to be exact.

Affected users should review all their online passwords

On the subject of passwords, Tumblr users were advised to change them as a precaution. However, Tumblr didn’t quite go so far as to advise affected individuals to also change other accounts they have across the web, which also use the same credentials. After all, if a hacker gets the email address and passwords from a Tumblr user, they could access Facebook, Twitter or anything else – provided the passwords are uniform. Even if they change slightly (such as the addition of a number), this makes the job of account hacking significantly easier.

Even if the stolen passwords remain encrypted, hackers still have the ability to ‘phish’ account holders – by emailing them with a message that looks like it comes from Tumblr, in which users are asked to provide personal data.

The specifics of the Tumblr hack were identified by Troy Hunt, of the ‘Have I Been Pwned?’ website. He discovered a cache of more than 65 million email addresses and hashed passwords being put up for sale on the dark web.

Account holders may be shocked to learn that anyone can get their hands on the database for a measly £104. The reason for this is simply how difficult the hashed passwords are to crack. Tumblr is said to have used the SHA1 algorithm to protect the passwords, and it appears to have worked.