Skip to main content

Tumblr’s ‘recommended blogs’ feature exposed user data

Tumblr’s ‘recommended blogs’ feature exposed user data


Staff penned an open letter in an effort to be transparent

Share this story


A security bug that hit Tumblr’s recommended blogs module may have exposed users’ private information, according to an open letter. Information like email addresses, passwords, IP addresses, and self-reported locations may have become exposed due to the bug if individual accounts were hit.

It’s unclear if the bug affected individual accounts, according to the open letter, but an investigation concluded that the bug “was rarely present.”

“We’ve also thoroughly investigated any way in which our community could have been affected,” the letter reads. “We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed.”

The bug was brought to Tumblr’s attention through a bug bounty program run by Oath, Tumblr’s parent company. A security researcher discovered that if a blog appeared in the recommended section of a user’s dashboard, “it was possible, using debugging software in a certain way, to view certain account information associated with the blog.”

“In our view, it’s simply the right thing to do.”

Tumblr’s desire to be transparent with users about security bugs and potentially compromised information comes at a time when other social media platforms are being hit with criticism. Facebook has encountered several major security flaws this year, leading to widespread concern among users as millions of accounts were affected.

“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love,” Tumblr’s open letter reads. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.”