Tumblr security lapse - iPhone and iPad users update your passwords now!

Filed Under: Featured, Privacy, Social networks

Tumblr has released a "very important" update for their iPad and iPhone apps following what they describe as a "security lapse".

It appears that passwords were being sent over the internet unencrypted, making it easy for anyone with bad intentions and a little technical knowledge to harvest Tumblr users' login details.

The short post by Derek Gottfrid, Tumblr's vp of product, gives very little away but does say that passwords may have been compromised by being "sniffed in transit"

Tumblr post

Important security update for iPhone/iPad users

We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

¹ "Sniffed" in transit on certain versions of the app

According to The Register who broke the news, a source approached them after failing to get the issue resolved by Tumblr's support team.

It looks like the previous versions of the iOS apps weren't logging users in using SSL. But Tumblr hasn't said much, and their lack of transparency means we are left wondering whether or not this has indeed happened.

Tumblr logoFans of Tumblr - which was recently acquired by Yahoo - who access the site via Windows Phone or Android devices appear to have been unaffected.

So if you use Tumblr on your iPad or iPhone, download the latest version of the app now.

Then change your password, both on Tumblr and anywhere else where you have used the same login credentials.

If you're having trouble choosing a new password, watch this video. And remember to always use a different password for each site. You can always use a password manager such as LastPass or KeePass to remember them all for you.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, ,

You might like

8 Responses to Tumblr security lapse - iPhone and iPad users update your passwords now!

  1. Scott K · 811 days ago

    I'm not terribly happy with Tumblr's security responses. The majority of their users don't know or care about security, but the rest of us ask questions about their security and get no answers beyond "upgrade to our new app!"

    • Matt · 811 days ago

      You wrote, "The majority of their users don't know or care about security ..."

      Normally, I detest generalizations. But in this case, I will firmly agree with you based on my interactions with Tumblr and their userbase.

      Oh, look! A cat with a piece of bread on its face. "Ain't that just swaggie!?"

  2. Danielle · 811 days ago

    What about the app on iPods? Does that need to be updated too, or just iPhone/iPad?

    • markstockley · 811 days ago

      Hi Danielle,

      Although Tumblr haven't explicitly said that the app running on iPod is vulnerable I would assume it is. It seems that they only have one app and that app works on iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPod touch (3rd generation), iPod touch (4th generation), iPod touch (5th generation) and iPad.


  3. Guy · 810 days ago

    Only found out about this due to this page and only started using the app the day before the update. Now can't change my password cause the site is havi problems...

  4. Allen · 810 days ago

    Any word on Android issues?

  5. Norm · 810 days ago

    About the video, I always wonder about saving all passwords under the protection of one password, even encrypted. This, to me would only work with an additional measure, like a token. I would like to hear more about these services before recommending to clients.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.