What Exactly Happened During This Weekend's Tumblr Password Leak?

By Katie Kindelan Comment

The popular microblogging platform Tumblr was hit by a security breach on Saturday, potentially revealing users’ personal information as well as passwords, server IP addresses and API keys.

The breach was first revealed by a Saturday morning Tweet from coder @J2Labs that warned, “OMG… The Tumbeasts are spitting out passwords!”

That tweet quickly spread and the debate moved to Hacker News where members tried to figure out how more than 748 lines of sensitive configuration information on the site became open and accessible to the public.

Tumblr was quick to react, fixing the problem and issuing an official message less than six hours after the flaw was first discovered.

Most importantly, Tumblr said it believed the breach was caught in time to protect users’ personal information from being compromised, although independent auditors would be consulted to confirm that was the case.

“We’re triple checking everything and bringing in outside auditors to confirm, but we have no reason to believe that anything was compromised. We’re certain that none of your personal information (passwords, etc.) was exposed, and your blog is backed up and safe as always. This was an embarrassing error, but something we were prepared for,” Tumblr assured users.

Members and bloggers on Hacker News and elsewhere pointed to possible coding errors with the PHP scripting language as the culprit, while others countered that blaming PHP was unfair as security holes can be design as much as language.

Tumblr, for one, blamed itself, or its engineers, for the breach, admitting:

“A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result… The fact that this occurred at all is still unacceptable, and we’ll be seriously evaluating and adjusting our processes to ensure an error like this can never happen again.”

This weekend’s breach comes less than four months after Tumblr suffered a site outage that it blamed on a maintenance error, later admitting the outage was also a symptom of their struggle to keep up with the site’s growth.

The site was founded just four years ago and now averages more than 500 million monthly page views and hosts more than 15 million blogs.

A similar security breach also happened more than three years ago at Tumblr, just as the site began, when it was discovered that users could gain access to the system wide Tumblr administrative page by simply logging into their personal Tumblr account and manually entering “/admin.”