Being transparent about security bugs

Hi Tumblr,

There’s some important information we want to share with you about a recent security bug we’ve resolved. Most importantly, there is no action required of you. We’ve resolved the issue, and have no evidence of this security bug being abused. We still, however, think it’s the right thing to do to let you know.

A few weeks ago, we received a report of a bug involving user account information from a security researcher participating in our bug bounty program, which invites some of the best researchers in the world to test the security of our systems. The bug was resolved by our engineering team within 12 hours of being reported to us, and we’ve taken steps to enhance product monitoring and analysis that will help prevent and detect this type of bug in the future.

The bug was in the “Recommended Blogs” feature on the desktop version of Tumblr. “Recommended Blogs” module displays a short, rotating list of blogs of other users that may be of interest, and appears only for logged-in users. If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog.

We’ve also thoroughly investigated any way in which our community could have been affected. We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed.

We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present. When it was, it was possible that certain user account information could have been viewed. This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account.

It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.

4

It’s National Coming Out Day! Some things to know:

Coming out can be a beautiful, empowering thing that makes your life easier;

But it’s also really scary and can sometimes, for a little while or for a long time, make life harder;

So it’s important to come out on your own terms, when and where you’re ready, at whatever pace feels right to you;

And equally important never to out anyone for any reason;

But whether you’re ready today or tomorrow or not for a very long time, lots of people love you and are ready to welcome you with open arms. Take your time.

Happy National Coming Out Day. I’m so proud to be a part of this community with you all, and I hope you are too. ❤️

3

I haven’t made a drawing like this in a while, but I couldn’t keep quiet when faced with the news. I want to live in a world where we believe survivors of sexual assault and where we believe women. This piece hurt to make and hurt to post (I know I will receive backlash from those who disagree politically), and I would really appreciate empathy and respect here. Please unfollow me rather than making inflammatory comments.