Tumblr has disclosed a security vulnerability on its site that in some cases could have exposed account information.
The bug was found in the part of the site that recommends other Tumblr blogs to users, according to a blog post. The blogging site said the “recommended blogs” module — only visible to logged-in users — could have exposed some account information associated with the blog.
Tumblr didn’t disclose much about how the bug worked, but said that a blog owner’s email address, scrambled password (both hashed and salted) and their self-reported location, as well as previously used email addresses and the last login IP address.
The discovering security researcher contacted Tumblr and the bug was fixed within a day, and the bug finder was awarded an unknown amount from Tumblr’s bug bounty program. (Disclosure: Tumblr and TechCrunch are both owned by Oath, a division of Verizon.)
Tumblr said that it has so far found “no evidence” that the bug was abused and “nothing to suggest” that unprotected account information was accessed, but wanted to “be transparent” about the incident.
That’s good news on one hand, but it’s early days and that may change. It’s near-impossible for companies to confirm for absolute certain that a bug wasn’t exploited, often until data turns up somewhere. And, because often bugs exploit vulnerabilities in software that look like authorized commands, it’s difficult to differentiate between legitimate and malicious data requests.
Tumblr’s disclosure is the latest incident in a string of security blunders at high profile tech companies. Facebook recently confirmed 29 million accounts were improperly accessed, Twitter said that a year-long bug could have exposed some private direct messages, and just last week Google said it would shut down its Google+ social network after a security incident exposed a half-million accounts.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Unlike Google, which only came clean about the bug after the decision not to inform customers was revealed by the Wall Street Journal, at least Tumblr went public before it was forced to.
A Tumblr spokesperson did not return a request for comment.
