Tumblr has said they found a major security bug in their platform that could have leaked people’s most personal information.
A problem with the innocent looking “recommended blogs” screen could have given up people’s email addresses, passwords, old accounts, and where they were.
The issue has now been fixed and there is no evidence that it was actually used, Tumblr said. Users don’t need to do anything to keep their account secure.
The bug was discovered through Tumblr’s bug bounty programme, which pays security researchers if they are able to find problems with its software. That means that experts can get money for discovering the loopholes but not use them to steal people’s information.
It was fixed within 12 hours of it being reported and Tumblr has taken extra steps to make sure that it is able to see and spot any similar bugs in the future.
The recommended blogs feature usually does exactly what it says: showing other blogs that a person might be interested in, if they’re logged into their account.
But the bug meant that when a blog appeared in that module it could be hacked to find out information about the person who runs it.
Tumblr said it wouldn’t be able to find out what specific accounts had been affected by the bug, but that it was “rarely present”.
“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love,” the company wrote in a blog post. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.”