14 DAY TRIAL // As reported by Tumblr on their staff blog, they fixed a security bug which allowed attackers to view account information of users who had their blogs featured in the website's Recommended Blogs module.
Tumblr also said that there is no evidence that the security issue was actually used by any bad actors to steal information and that any "unprotected account information was accessed" until the problem was fixed.
The security bug would have allowed attackers to view and steal "email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account."
Even though this doesn't mean much given that there's a good chance Tumblr could very well be wrong depending on the monitoring mechanisms they have in place, it's still commendable that they publicly disclosed the security bug fix and a possible exposure of user data.
The issue was reported via a bug bounty and was fixed by Tumblr's security engineering team within 12 hours after the initial report.
The security issue would have allowed attackers to email addresses, hashed and salted passwords, more
"The bug was in the “Recommended Blogs” feature on the desktop version of Tumblr. “Recommended Blogs” module displays a short, rotating list of blogs of other users that may be of interest, and appears only for logged-in users," said Tumblr. "If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog."
According to their blog post, Tumblr's team was not able to find any accounts specifically targeted or compromised by bad actors using the fixed security issue.
Tumblr's public disclosure is what Google should have done after discovering a Google+ API security issue that led to data leaks affecting 500,000 profiles.
They found about it in March 2018 but chose not to disclose it publicly until October 8 because they "found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."