- Majority of threats made since El Paso and Dayton shootings have been made online Thursday 8:00 PM
- Miley Cyrus tweets about cheating allegations and penis cake drama Thursday 6:32 PM
- ‘The Dark Crystal: Age of Resistance’ dazzles with a timely tale Thursday 6:00 PM
- The DOJ emailed a white nationalist blog post to immigration judges Thursday 5:31 PM
- The Amazon rainforest is on fire–and people are using memes to cope Thursday 4:11 PM
- Microsoft contractors listened in on Xbox users Thursday 2:15 PM
- Anti-vaxxer assaults pro-vaccine lawmaker on Facebook Live (updated) Thursday 2:15 PM
- Oreos licked by singer Lewis Capaldi are being auctioned off on eBay Thursday 1:54 PM
- Zach Braff predicted Sean Spicer would be on ‘Dancing With the Stars’ 2 years ago Thursday 1:38 PM
- NYPD sergeant who watched Eric Garner die punished with lost vacation days Thursday 1:27 PM
- Brie Larson haters have a meltdown over a joke about Thor’s hammer Thursday 1:26 PM
- This comedian attempted to make fun of women on Twitter—and it did not go over well Thursday 1:04 PM
- Logan Paul wants to help the Amazon rainforest Thursday 12:36 PM
- Nutaku announces redesign and filters for LGBTQ porn games (updated) Thursday 12:25 PM
- This video of dozens of inflatable mattresses taking off in the wind is perfect Thursday 12:20 PM
A major Tumblr security bug potentially exposed its users’ private data, but the blogging service says it has patched the problem.
The vulnerability, discovered by a security researcher participating in the company’s bug bounty program, involved Tumblr’s “Recommended Blogs” feature utilized by the service’s desktop app.
A blog post from the company explaining the issues states: “If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog.”
“This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account,” the company revealed.
Tumblr emphasized that an internal investigation yielded “no evidence of this security bug being abused” and said the issue was fixed within 12 hours of being reported.
“We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present,” Tumblr said.
The blog adds that users are not required to take any action as a result of the incident.
“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience,” Tumblr concluded. “We want to be transparent with you about it. In our view, it’s simply the right thing to do.”
Bug bounty programs are used by numerous technology companies in order to reward security researchers for discovering issues that could be exploited by malicious actors.
While the most recent bug does not appear to have resulted in the compromise of private data, a hacker was able to steal account details from 65 million Tumblr users in 2016.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.