More than 65 million user account details were stolen during a hack on Tumblr, it has been claimed.
The blogging site announced on 12 May that its security had been compromised in 2013, but would not say how many users were affected.
Now a report by data breach awareness site Have I Been Pwned (HIBP) claims that 65,469,298 email addresses and passwords were stolen.
If confirmed, HIBP said that would make it the third biggest ever security breach. Tumblr has not commented on the report.
In a statement issued at the time of the incident, the company said the passwords were protected by a process called “salted and hashing”, which involves turning the password into a string of digits.
But it still advised users to change their logins.
Website Motherboard reported that users’ details were being offered for sale on the internet and dark web.
That means that even if your account can’t be accessed, you could be at risk of receiving spam and phishing emails.
Motherboard reported that the database is being sold by a hacker called “Peace” for just $150 (£103).
It said the low price reflected the difficulty of trying to crack users’ passwords.
The security lapse is the third to be revealed in recent weeks after breaches at LinkedIn and MySpace.
Earlier this month the same hacker claimed to have more than 100 million LinkedIn logins after an attack on the site in 2012 and 360 million MySpace email addresses and passwords.