Tumblr promises it fixed a bug that left user data exposed

Tumblr says it has sorted out a bug on its site that could potentially have revealed user data.

The New York-based company said on Wednesday, October 17 that it had “some important information” that it wanted to share, before going on to explain about the security flaw.

First, it wanted to make clear that it so far had no concrete evidence that any data had been stolen. At the same time, the company promised that the issue had been resolved and no action — such as changing account passwords — was required on behalf of users.

So, what happened? According to the blogging platform, a security researcher reported the problem several weeks ago via Tumblr’s bug bounty program. Engineers fixed the issue within half a day, and since then the company has taken steps to improve monitoring and analysis procedures to help it identify and fix any similar bugs in the future.

The flaw in question was linked to the “recommended blogs” feature on the desktop version of Tumblr. Recommended blogs are powered by an algorithm that displays a short, rotating list of blogs by other Tumblr users that may be of interest, and only appears for people logged onto the Tumblr site.

According to Tumblr, if a user’s blog appeared in this module, it was possible, by “using debugging software in a certain way,” to view some of that user’s account information.

“We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed,” the company said.

It added that it couldn’t be sure which specific accounts were affected by the security flaw, but said that through its own analysis, “the bug was rarely present.”

At the worst, it’s possible that certain user account information could have been viewed, including email addresses, encrypted Tumblr account passwords, self-reported location (a feature that’s no longer available), previously used email addresses, the last login IP address, and the name of the blog linked to the account.

The company said it wanted to be transparent with its community about the security flaw, even though it’s confident that no user data was stolen while the bug was live. It’s early days, however, so no doubt Tumblr will be monitoring the situation closely to ensure that its assumptions are correct.

Not the first, won’t be the last …

Tumblr certainly isn’t the first social media service to get entangled in an issue linked to online security. Only recently, Facebook revealed a security vulnerability that gave hackers the chance to take control of as many as 30 million accounts, while Twitter said in September it’d squashed a security bug that leaked direct messages between users. And then there’s Google+, which said last week that a flaw had given hackers access to personal information linked to up to half a million accounts. The web giant said that following the hack, and because of lack of interest among users in the platform, it plans to completely shut down Google+ by August 2019.


Service restored after glitch locks out Microsoft Office 365 business users

Microsoft reported that a problem with its system caused some users to be locked out of their accounts. Because the multifactor authentication system went down globally, some Office 365 and Azure users were unable to log in.

Instagram tool accidentally exposes user passwords. Were you affected?

Instagram's Download Your Data tool accidentally exposed the passwords of a small number of users. Here is the explanation on what happened, and how to find out which Instagram accounts were compromised.

Latest SMS breach could allow hackers access to your online accounts

A new security breach that exposed more than 26 million text messages could be a huge nightmare for users relying on two-factor authentication. Many of the SMS on the database contained security codes and account reset links.

iPhone users are finding themselves randomly locked out of their Apple ID

According to posts on Reddit and Twitter, it looks like users on Reddit and Twitter having some issues with their Apple accounts. Specifically, it seems as though users are getting randomly locked out of their Apple IDs.
Social Media

Facebook opens pop-up stores at Macy’s, but they’re not selling the Portal

Facebook has opened pop-up stores at multiple Macy's, though they're not selling Facebook's new Portal device. Instead, they're showcasing small businesses and brands that are already popular on Facebook and Instagram.
Social Media

Facebook Messenger will soon let you delete sent messages

A feature coming to Facebook Messenger will let you delete a message for up to 10 minutes after you send it. The company promised the feature months ago and this week said it really is on its way ... "soon."
Social Media

Pinterest brings followed content front and center with full-width Pin format

Want to see Pinterest recommendations, or just Pins from followed users? Now Pinners can choose with a Pinterest Following feed update. The secondary feed eliminates recommendation and is (almost) chronological.
Smart Home

Facebook's Alexa-enabled video-calling devices begin shipping

Facebook's Portal devices are video smart speakers with Alexa voice assistants built in that allow you to make calls. The 15-inch Portal+ model features a pivoting camera that follows you around the room as you speak.
Social Media

Vine fans, your favorite video-looping app is coming back as Byte

Vine fans were left disappointed in 2017 when its owner, Twitter, pulled the plug on the video-looping app. But now one of its co-founders has promised that a new version of the app, called Byte, is coming soon.

Social media use increases depression and anxiety, experiment shows

A study has shown for the first time a causal link between social media use and lower rates of well-being. Students who limited their social media usage to 30 minutes a day showed significant decreases in anxiety and fear of missing out.
Social Media

Twitter boss hints that an edit button for tweets may finally be on its way

Twitter has been talking for years about launching an edit button for tweets, but it still hasn't landed. This week, company boss Jack Dorsey addressed the matter again, describing a quick-edit button as "achievable."
Social Media

‘Superwoman’ YouTuber Lilly Singh taking a break for her mental health

Claiming to be "mentally, physically, emotionally, and spiritually exhausted," popular YouTuber Lilly Singh has told her millions of fans she's taking a break from making videos in order to recuperate.
Social Media

Facebook is rolling out a Messenger ‘unsend’ feature, and here’s how to use it

Facebook is starting to roll out a "remove message" feature for its Messenger app. It lets you delete a message in a thread within 10 minutes of sending it, and replaces it with a note telling recipients that it's been removed.
Social Media

Going incognito: Here's how to appear offline on Facebook

How do you make sure your friends and family can't see if you're on Facebook, even if you are? Here, we'll show you how to turn off your active status on three different platforms, so you can browse Facebook without anyone knowing.