Another data breach of a popular social media site leaves thousands of users exposed to identity theft.
Tumblr is a "microblogging" platform and social networking website that is hugely popular especially with young people. The site allows users to set up their own blogs and to post text, photos, quotes, links, music, and videos from their browsers, phones, computers, via email or directly onto their blog page from "wherever you happen to be." It is popular enough that on May 20, 2013, Yahoo! acquired it for $1.1 billion – in cash. As of July 19, 2013, Tumblr hosted over 125 million micro-blogs.
So what happened that exposed Tumblr's millions to id theft? On July 16 of this year Derek Gottfrid, the company’s VP of Product, posted an entry to the company's official blog that apologized for a major security glitch that exposed blogger passwords and email addresses.
The posting read:
We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances. Please download the update now.
If you've been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password…↑. Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.
Tumblr did not discover the problem itself; rather a British user of the service discovered the security flaw that allowed users’ passwords to be seen because the apps were not logging users in with a secure server (SSL).
So to avoid identity theft, millions of users have to download an update to the app and then change their password and possibly change that password if they also used it to enter other sites.
This actually was Tumblr's third brush with id theft on a large scale.
Last February, Zendesk, a San Francisco-based customer service software provider announced that a hacker had been able to download the e-mail addresses, along with the e-mail subject lines, of users of three social networking giants who contacted with Zendesk for support services. The companies were: twitter, tumblr and pinterest.
Previously to that, in March 2011, Tumblr posted the following on its official blog:
A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result.
We're triple checking everything and bringing in outside auditors to confirm, but we have no reason to believe that anything was compromised. We're certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for.
The fact that this occurred at all is still unacceptable, and we'll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.
In these two previous incidents Tumblr took no action beyond notifying users because no passwords or user personal information were revealed. But these three incidents continue to point out how vulnerable social media sites are to exposing personal information, either to a determined hacker, or through simpler human error. It seems that identity theft is just around the corner for even the biggest, most well funded social media sites.