If there was no salt in the database, it looks Tumblr used a secret "pepper" (https://en.wikipedia.org/wiki/Pepper_(cryptography))? Why wouldn't they include a salt as well? Or did the database dump just not have the salt column?
> If there was no salt in the database, it looks Tumblr used a secret "pepper"
It's absolutely clear that Tumblr did not use a pepper to create the dumped hash values in the article. Multiple users had the same hash, and most of those users had the same password as each other on another site.
What you say seems to directly contradict the Wikipedia link above, which says:
"The pepper is randomly generated for each value to be hashed (within a limited set of values), and is never stored. When data is tested against a hashed value for a match, this is done by iterating through the set of values valid for the pepper, and each one in turn is added to the data to be tested (usually by suffixing it to the data), before the cryptographic hash function is run on the combined value."
The talk page mentions "pepper" having two meanings, both of which are mentioned in the article. I wasn't familiar with the one that involves brute-forcing it on every login attempt, and I've never heard of it being used in production on a real site (whereas a global shared secret seems to be reasonably common).
> I wasn't familiar with the one that involves brute-forcing it on every login attempt, and I've never heard of it being used in production on a real site (whereas a global shared secret seems to be reasonably common).
In case you're interested, that is the same scheme as the one used by JoeyH's keysafe[1].
It's absolutely clear that Tumblr did not use a pepper to create the dumped hash values in the article. Multiple users had the same hash, and most of those users had the same password as each other on another site.