Tumblr recently added a feature called “Recommended Blogs” that presents you with a list of blogs you might enjoy based on your past viewing habits. It’s a great idea in theory, but unfortunately, there were problems with the way the feature was implemented.
Any blog on the recommended list was placed there in such a way that it left the blog owner’s personal information exposed, including:
- IP Address
- Self-Reported location
- Email Address
- Password
Tumblr had this to say in an open letter published on their site:
“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s’ simply the right thing to do.
We found no evidence that this bug was abused and there is nothing to suggest that unprotected account information was accessed.”
Even if you’ve never seen your Tumblr blog on the recommended list, your best bet is to change your password immediately. As usual, if you use the same password for Tumblr that you use on any other web property, change that password too.
Now would be a great time to break yourself of the habit of using the same password across multiple websites. Continuing that practice makes you a ticking bomb. Sooner or later, it’s going to explode on you, with tragic consequences that could take years to fully recover from. (Read our post on passwords).
We applaud Tumblr’s handling of this issue. At a time with other social media platforms are under fire for their handling of security flaws, Tumblr’s transparency is refreshing indeed.