From a data breach during early 2013, 65 million Tumblr user accounts were potentially compromised and long term users are requested to select a new password for their accounts

http://www.welivesecurity.com/2016/05/30/65-million-tumblr-users-probably-careful/

Hunt recently came across a database being sold on the computer underground containing 65,469,298 unique emails and hashed passwords.  As Motherboard reports, the database is being sold by a hacker going by the name of “Peace”, for the lowly sum of $150. “Peace” also claims that Tumblr used the SHA1 algorithm to store the passwords, making them extremely hard to crack – and probably explaining the cheap price.

But even if your Tumblr password isn’t at much risk of being cracked, you should still probably change it. Just make sure it’s changed to something unique, hard to crack and hard to guess. I would also advise enabling two-step verification on your Tumblr account as well. And don’t think that dealing with the password breach means that you can relax. Your email address is now “out there”, and criminals know how to contact you and 65 million other Tumblr users.

 

https://staff.tumblr.com/post/144263069415/we-recently-learned-that-a-third-party-had

We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.  or additional information on keeping your accounts secure, please visit our Account Security page.