In May 2016, a dataset containing 65.5 million Tumblr user email addresses and hashed passwords appeared for sale on dark web markets, offered by the same seller (‘peace_of_mind’) who was simultaneously selling data from LinkedIn (117M), MySpace (360M), and other major platforms. The data was traced to a breach that had occurred in early 2013 — approximately three years before discovery. Tumblr (then owned by Yahoo, which had acquired it in 2013) disclosed the breach on May 12, 2016. The passwords were hashed using SHA-1, a weak hashing algorithm, though Tumblr stated that many passwords were salted. Tumblr required affected users to set new passwords upon next login. Yahoo/Tumblr did not disclose the precise initial attack vector due to the multi-year delay before discovery. The breach was part of a wave of 2013-era social media breaches surfacing simultaneously in 2016 from the same seller, collectively affecting hundreds of millions of users. The incident illustrated the lasting consequences of 2013-era password storage practices and the difficulty of determining breach timelines years after the fact.