shanology: usobuki: chandri: staff: We recently learned that a third party had obtained access…





We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.

For additional information on keeping your accounts secure, please visit our Account Security page.

If you’re wondering why you were forcibly logged out of Tumblr with no warning and required to reset your password today, see above.

You know what would have been better than kicking me out and forcing a password change with no explanation, making your homepage look like a phishing site, Tumblr? SENDING OUT AN EMAIL OR SOMETHING.

Wow I’m glad that didn’t happen to me that’s shady as shit looking???


I’ve already been forced to reset my password just now, but I’ve also seen several people on my dash who have basically lost their blogs because they had those blogs tied to defunct e-mail addresses they no longer had access to – and tumblr is giving no option for resetting your password without access to the e-mail they send you

If you haven’t been hit with the password reset yet – and it seems to be rolling out in waves – this would be a really good time to be sure your e-mail preferences are up-to-date in your tumblr account. If you can’t access the reset e-mail when they send it to you, you’re locked out. 

Hopefully they’ll fix this or come up with a work-around, but in the meantime, be prepared.

This is the latest reminder that Tumblr has limited resources, of which they devote approximately zero to treating users like customers, or even like people worthy of normal human consideration. @staff does not view us as people. They view us as product, as business assets to be monetized. That’s it.

So they take actions like this, and do it largely unannounced and with no provision for those who have used Tumblr for months or even years without needing to enter access credentials (a use case common on Tumblr due to previous decisions made by @staff to benefit itself). So now many of those users (tens of thousands? hundreds of thousands? millions?) risk losing access to their blogs. Tumblr justifies this as necessary for “security”, but the fact that they’re willing to do this to so many proves that real security is way down their list of priorities.

Real security would mean users being able to retain access to the blogs and followers they’ve devoted so much effort to curating.

A better blogging platform, one that combines Tumblr’s features with decision-making that places a higher value on user security, is not an impossibility. It only requires the will to make it.

Tumblr’s original developers weren’t gods. They weren’t even particularly good developers. They were just in the right place at the right time, and did the best they could under the circumstances. But in their inexperience they took a dismissive attitude toward security that continues to haunt the site to this day.

As far as I know, Tumblr is still @david‘s baby. It’s an interesting expression, given that a lot of the shortcomings I see in how he runs the site are the kind of things actual parenthood might have taught him to avoid.

Becoming a parent gives you a sudden, intense realization of being completely responsible for a precious, helpless human being. There’s a sense of godlike power that is terrifying. It made me want to be more careful, more responsible.

When he founded Tumblr @david hadn’t had that experience, and apparently he still hasn’t learned that lesson. It shows in how he wields his godlike power over users, many of whom are not only figuratively but literally children. It’s kind of scary.

Reposted from

Tags: the creepy dude I can't unfollow, and who isn't a particularly responsible parent, toward his several hundred million virtual children, of whom I guess I'm one.

Leave a Reply

You must be logged in to post a comment.