UPDATE: Tumblr notified us that the worm has been removed: “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs earlier today. Thank you for your patience.”
UPDATE 2: Tumblr has followed up with a terse blog post saying that all posts related to the attack has been removed: “No accounts have been compromised, and you don’t need to take any further action.” It’s now back to business as usual at Tumblr HQ.
Thanks to the work of an anti-blogging hacker group, Tumblr has been hacked and a surprising amount of popular domains have been exploited.
The worm itself isn’t damaging to your blog, so there’s not much to worry about in terms of losing your information or having your blog wiped clean. The worm is similar to the clickbait posts that you’ve seen on Facebook, which once you click on the post gets republished to your wall (in this case, to your Tumblr blog). The viral post was planted this morning on Tumblr and spread to 6,000 unique visitors so far in just a matter of a few hours. With 80 million blogs that exist on Tumblr, this is just a fraction of blogs that were affected, however many popular sites were hit (including USA Today’s and The Verge’s Tumblrs) and the bug has the potential to infiltrate the platform much further.
If you see the hate-filled message like the one in the screen shot below, do not click on it.
If you’re signed into your Tumblr dashboard and click on the post, it will infect your blog and republish the message as a blog post. You won’t have to worry about the “P.S.” part of the message since it’s just an empty threat. Because it publishes just one blog post at a time, to remove it you can simply delete the single post without it affecting your blog as a whole, but before you jump ahead of yourself it’s not that that straight forward. Unfortunately it appears that infected Tumblr accounts can’t delete the post through Tumblr’s dashboard without spawning more posts, so the Daily Dot is recommending that using the Missing-E browser plugin will get rid of the posts for good without any recourse.
We reached out to Tumblr and their spokesperson responded to the incident with the following statement, indicating that Tumblr is aware of the situation and actively working on combating the problem.
“There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.”
A “hackavist” collective by the name of The Gay Ni**er Association of America (GNAA) has stepped up to claim responsibility for the exploit. GNAA’s spokesperson tells the Daily Dot, “The guy who found the bug messaged me about six hours ago, and we went live just under three hours ago. We started with one post on a brand new Tumblr blog, I sent the link to a few people, and it went from there. Well, it looks like we’ve reached nearly 6,000 unique users affected … Never expected it to get this big.”
According to NewMediaRockstars, the GNAA also plans to take on WordPress and Disqus.