Tumblr just fessed up to a frankly embarrassing security flaw that exposed millions of users’ passwords. Actually, “embarrassing” might be an understatement in the broader spectrum of screw ups a company like Tumblr could make. “Astonishingly stupid” works, too.
The nature of the breach itself is relatively simple. For an unknown amount of time, Tumblr wasn’t securely logging in users on iOS devices. Instead of transmitting sensitive user data like passwords securely, Tumblr just sent it out over the air in plain text, for any elementary hacker to grab in transit. The security issue compounds itself indefinitely if you use the same password for your Tumblr account as your Facebook or Twitter or email account. Again, this is Cybersecurity 101: Do not leak your users’ passwords to everyone.
Tumblr admitted to error in an official company blog post and quickly pushed an update that added the extra security layer. It also politely asked any and all users who’ve logged into Tumblr from an iOS device to change their passwords. This is all after a Tumblr user reported the problem to Tumblr’s Support Team who failed to address the problem.
Aside from the obvious annoyance of potentially being hacked and needing to change your password(s), this little goof up highlights what a small, young company Tumblr still is. Or at least it used to be a small, young company before it got bought by Yahoo. From here on out, it’ll be interesting to see how Yahoo will shape Tumblr’s future and vice versa. On The Colbert Report Tuesday night, founder David Karp referred to Tumblr as a “path forward” for Yahoo. I’m guessing Yahoo would rather have that path forward be free of booby traps. [The Register]
Image via Flickr / Romain Toornier