Should You Change Your Tumblr Password? Company Reveals Security Bug

Tumblr revealed Wednesday that the site suffered a "security bug" that was discovered through the bug bounty program. A security researcher found that there was a bug in the "recommended blogs" part of the desktop version of the website.

The feature where the bug was located was only available to users logged into the site on their desktop in the part of the site that shows a short list of blogs. When a blog appeared there on the site, that site was potentially vulnerable when debugging software was used. Some specific information was potentially visible to anyone who used debugging software while on the site.

In a blog post about the bug, Tumblr said there was no evidence that the bug was abused or that any of the "unprotected account information was accessed." Tumblr said the information wasn't shown to have been accessed and that users didn't need to take any action following the reveal of the bug.

"We've resolved the issue, and have no evidence of this security bug being abused. We still, however, think it's the right thing to do to let you know," said the blog post from Tumblr.

Email address and passwords were some of the information that was made available but the company said users need not take any action over the bug. It's likely that no action was needed because the information was not actually fully visible to anyone who found a way in through the bug. The protected password was hashed and salted, meaning it was encrypted in a way that couldn't be decoded and then also was salted meaning protected even more with extra values.

In addition to the protected password and emails the self-reported location, previous email addresses and IP addresses were also made available as part of the bug. The bug was fully resolved within 12 hours of the company being notified of it and it's no longer a concern. The company does not know which accounts were affected by it though.

"It's our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it's simply the right thing to do," said the blog post.

tumblr
The logo of mobile app 'tumblr' is displayed on a tablet on January 2, 2014, in Paris. The company revealed Wednesday that it found a bug in its system. Lionel Bonaventure/AFP/Getty Images