Hipster blogging service Tumblr had a little breach this weekend, possibly revealing users’ personal information, passwords, and IP addresses, according to SocialTimes, which put together a chronology of the event.
On Saturday, a Tweet from @J2Labs alerted: “OMG…The Tumbeasts are spitting out passwords!” It turned out that 748 lines of sensitive configuration information was exposed to the public. Hacker News soon became the site of record for debate on the breach, how serious it was, and who was to blame. Tumblr itself quickly patched the vulnerability and posted an official take on it within six hours of the breach’s discovery. “We’re certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for,” said Tumblr; it said it would bring in independent auditors to confirm that no passwords or personal information had actually been captured. Tumblr chalked it all up to “a human error.”
Commenters on Hacker News have very different takes on the event. User nsfmc called the community’s response to the breach “self-righteous and incredibly passive-aggressive…I mean, find a bug, report it, move on.” User InclinedPlane did not agree, calling the breach “a failure of basic security principles. Imagine if the super to your apartment complex accidentally mailed a box full of duplicate keys to a local methadone clinic. That’s not an embarrassing mistake, it’s a catastrophic error bordering on criminal negligence.” Other users came down somewhere in the middle.
It’s not the first time Tumblr has had back-end troubles. The four-year-old site hosting 15 million blogs had a fairly basic security hole back in its infancy, three years ago, when users found they could access Tumblr’s system administration page just by adding “/admin” to a URL. Tumblr’s security has obviously become more sophisticated since then. But on top of the recent security breach, it has had problems accommodating its rapid growth, undergoing a site outage in December. The site recently received a $135 million valuation.