Tumblr has released a “very important” update for their iPad and iPhone apps following what they describe as a “security lapse”.
It appears that passwords were being sent over the internet unencrypted, making it easy for anyone with bad intentions and a little technical knowledge to harvest Tumblr users’ login details.
The short post by Derek Gottfrid, Tumblr’s vp of product, gives very little away but does say that passwords may have been compromised by being “sniffed in transit”
Important security update for iPhone/iPad users
We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.
If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.
Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.
¹ "Sniffed" in transit on certain versions of the app
According to The Register who broke the news, a source approached them after failing to get the issue resolved by Tumblr’s support team.
It looks like the previous versions of the iOS apps weren’t logging users in using SSL. But Tumblr hasn’t said much, and their lack of transparency means we are left wondering whether or not this has indeed happened.
Fans of Tumblr – which was recently acquired by Yahoo – who access the site via Windows Phone or Android devices appear to have been unaffected.
So if you use Tumblr on your iPad or iPhone, download the latest version of the app now.
Then change your password, both on Tumblr and anywhere else where you have used the same login credentials.
If you’re having trouble choosing a new password, watch this video. And remember to always use a different password for each site. You can always use a password manager such as LastPass or KeePass to remember them all for you.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)