Tumblr Security Hole Reveals Passwords

Tumblr released an update for their iOS apps after a recently discovered security hole first reported by The Register discovered by one of their readers.

Tumblr users’ passwords were exposed in plaintext and not encrypted using SSL.


SSL is the cornerstone for our sense of security when accessing websites, which require a login, by encrypting sensitive information during online communications.

Plaintext or cleartext is often how we refer to unencrypted textual data transmitted online. Most people wouldn’t even know this occurred as the data would only be visible through sniffing the traffic.

We put our trust in developers to take our security into account and sometimes it’s overlooked.

This type of security hole can affect us mostly when accessing unsecure WiFi hotspots. There are sniffers out there that can capture traffic via the data connection but they aren’t as prevalent as WiFi sniffers. The reality is there are many WiFi sniffing apps available for our smartphones. It doesn’t take much.

Derek Gottfrid VP of Product at Tumblr posted this message below to users yesterday:


This appears to affect only Tumblr’s iOS app, for iPhone and iPad, they were quick to fix and push out an update last night, but the security hole had been present for a time.

If you are a user of Tumblr for iOS we recommend updating the app and changing your password for security measures.

For tips on creating strong and secure passwords I recommend reading a recent post by our Josh Cannell.

I would also recommend if you are not using WiFi on your device, disable, and only re-enable when you need. This can help prevent unwanted WiFi sniffing.


Armando Orozco

Senior Malware Intelligence Analyst

Faux geek who likes to keep it bland. Experienced in behavioral, PC, and mobile technologies.