Tumblr fixes security flaw that exposed account info

The recommended blogs feature showed more than it should.

Tumblr just fixed a flaw that could have revealed much more than bloggers were comfortable with sharing. A security researcher talking to the social site (which is owned by Engadget's parent brand Oath, and thus Verizon) discovered a security hole in the "recommended blogs" module that let you obtain sensitive account information. If a blog showed up in the module, you could use a debugging tool to obtain someone's current and past email addresses, their obscured password, their name and the IP address from their last sign-in. You could also see their self-reported location, although that hasn't been an option for a while.

There's "no evidence" that anyone exploited the bug, and "nothing to suggest" someone accessed unprotected info, Tumblr said. This doesn't completely rule out an intrusion, but there's no immediate sign of trouble.

This isn't as large an incident as the recent Facebook hack or Twitter's direct message bug, but it's still serious. Tumblr's code would have let attackers obtain info they could use for phishing scams, harassment and other campaigns. The transparency helps, but it also reinforces notions that data security is an ongoing problem at internet giants.