Tumblr sent an email to its staff yesterday stating, ‘We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, before the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.’
So it’s a breach, probably based on legacy hardware and software. So as breaches go, given the then age and user numbers of the company, it is not too bad. WRONG!
I don’t want to discourage start-ups, but the rush to market using cloud and low or no cost apps and tools to develop, is an accident looking to happen. By far the biggest security breaches come from using free or old development tools and poorly patched systems. Yahoo’s due diligence should have included a full audit of security measures and code resiliency. It is not as if they did not know of Tumblr’s past.
Before Yahoo’s acquisition Tumblr was regularly targeted – a big one in June 2011 coming from Tumblr user’s voracious appetite for porn resulted in email address logins and passwords being stolen via ‘click on this link for free adult material’. Then again at the end of 2012 over 6000 users caught worms from the site (or links to it). Then there was the biggie in 2013!
Nick FitzGerald, Senior Research Fellow at ESET has some words of advice. While many seem like motherhood statements, they are still ignored by too many.
- Always use a strong password. By strong password, I mean very long, varied and complex with at least 14-16 characters. It is also best to include capitals, numbers, and symbols. Not all the systems will allow this but if possible, this is the best way to protect an account. Even better, if you can use such long passwords, use a phrase, such as a few lines from a poem or song you know well.
- If you must use short passwords – less than 16 or so characters – avoid common words, simple keyboard patterns or personal information. Instead, use acronyms you will easily remember or spell words in a different way using phonetics and numbers. Of course, do not use the same password for all accounts.
- Password managers are a handy way to have many different and optimally secure passwords without losing your mind. It is best to not write all of your passwords down without any security on your computer or phone. Also, as you are commonly required to change passwords regularly, password managers can eliminate most of that hassle, with some even enabling you to automatically change your passwords with each login.
- To ensure maximum security for an account, it is strongly recommended to activate two-factor authentication. This increases security with an extra layer of protection that requires entering a unique code sent to another email address or mobile, or some other action involving a token carried by the account owner.
Tumblr has advice to and its eerily similar to Fitzgerald’s advice.
- Choose a unique password for Tumblr. It’s a good practice to avoid repeating passwords for any of your accounts and to choose passwords that are a mix of letters, numbers, and symbols.
- Make your password long - the longer, the better. We recommend passwords over 12 characters in length.
- Always look for the reassuring lock emblem in your browser's address bar at login.
- Never enter your Tumblr credentials on any site other than tumblr.com.
- Never give an application access to your Tumblr account unless it is from a source you trust.
- Never share your account credentials or mobile publishing email address with anyone.
- Set up Two-Factor Authentication in your account settings, which makes it really difficult for impostors to access your Dashboard.
- Make sure you have “Email me about account activity” turned on in your account settings.
- If you use Tumblr on a public computer, always log out of your session by clicking on the Account menu at the top of the Dashboard and then clicking “Log Out” at the top of the menu.