Tumblr has sent out emails to its users notifying them of a security breach. However, the issue isn’t Tumblr’s system’s fault, as the hack can be traced back to Zendesk, the email and contact support client that Tumblr and a handful of other social applications use. Pinterest and Twitter are also suffering at the Zendesk security failure.
The security vulnerability has been patched up already, Zendesk wrote in a blog post. But the damage has been done already: The hacker downloaded the email addresses of people who emailed Twitter, Tumblr, and Pinterest support. The only silver lining is that users’ passwords are safe and sound.
If you’re a Tumblr user and ever contacted its support team via email in the past 2.5 years since Tumblr has been using Zendesk Tumblr says that there’s a good chance that you’ve been affected. These are the warning words Tumblr had for users.
“This (security breach) has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:
The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed to firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, or email@example.com.
Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.”
The last point is critical. Phishing is a common attack conducted via email to dupe recipients into clicking on malicious links, opening up tainted attachments, or asking them to divulge personal information. Now any emails you might receive that look similar to a Tumblr address but seem suspicious for whatever reasons should be approached with serious caution. The email that Pinterest and Twitter has sent out also reaffirms that its users shouldn’t divulge their account information, especially passwords.
Fortunately for Twitter, the social network is using DMARC, Domain-based Message Authentication, so that email providers including AOL, Gmail, Outlook, and Yahoo! Mail, can flag and delete any emails that are trying to mimic a company’s real email address. So if you’ve emailed Twitter support before, the hacker probably has access to your email address, but with DMARC in place, any efforts to contact and phish for your information should be curbed. Let’s just hope that Tumblr and Pinterest follow suit.