The bug appears to be in the “Recommended Blogs” section with the desktop version of the Tumblr. The future is available for users only after login and it shows the list of blogs the user follows.
Tumblr said that “it was possible, using debugging software in a certain way, to view certain account information associated with the blog.”
The bug was found by a security researcher who participated in the bug bounty program and the bug was fixed by Tumblr within 12hrs.
“Most importantly, there is no action required of you. We’ve resolved the issue, and have no evidence of this security bug being abused,” Tumblr said.
The bug allows an attacker to access certain user account information such as email address, hashed password, self-reported location, previously used email addresses, last login IP address, and the name of the blog associated with the account.
Tumblr said there is no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed.
Tumblr is a microblogging and social networking website, it allows users to post multimedia contents and a short-form blog.
Facebook admitted a security breach last month that impacts 30 million user accounts, hackers gained access by exploiting a bug with “View As” feature.