Tumblr has disclosed a security vulnerability on its site that in some cases could have exposed account information.
The bug was found in the part of the site that recommends other Tumblr blogs to users, according to a blog post. The blogging site said the “recommended blogs” module — only visible to logged-in users — could have exposed some account information associated with the blog.
Tumblr didn’t disclose much about how the bug worked, but said that a blog owner’s email address, scrambled password (both hashed and salted) and their self-reported location, as well as previously used email addresses and the last login IP address.
The discovering security researcher contacted Tumblr and the bug was fixed within a day, and the bug finder was awarded an unknown amount from Tumblr’s bug bounty program. (Disclosure: Tumblr and TechCrunch are both owned by Oath, a division of Verizon.)
Tumblr said that it has so far found “no evidence” that the bug was abused and “nothing to suggest” that unprotected account information was accessed, but wanted to “be transparent” about the incident.
That’s good news on one hand, but it’s early days and that may change. It’s near-impossible for companies to confirm for absolute certain that a bug wasn’t exploited, often until data turns up somewhere. And, because often bugs exploit vulnerabilities in software that look like authorized commands, it’s difficult to differentiate between legitimate and malicious data requests.
Tumblr’s disclosure is the latest incident in a string of security blunders at high profile tech companies. Facebook recently confirmed 29 million accounts were improperly accessed, Twitter said that a year-long bug could have exposed some private direct messages, and just last week Google said it would shut down its Google+ social network after a security incident exposed a half-million accounts.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Unlike Google, which only came clean about the bug after the decision not to inform customers was revealed by the Wall Street Journal, at least Tumblr went public before it was forced to.
A Tumblr spokesperson did not return a request for comment.
