Tumblr: Oops, We Might Have Blown Your PasswordS

If you use an iPhone or iPad to cruise Tumblr, change your login ASAP: the company just admitted a serious flaw in its iOS apps makes it easy for someone to steal your password out of thin air.

In a very quiet, very short post to the Tumblr staff blog, the site issues a mea culpa:

We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

In other words, there hasn't been any "hack" or "break in," but every time you log in to Tumblr via iPhone, your password has been broadcast naked. Anyone on the same network with the right knowhow could intercept it without much trouble. Botching something like this, for a billion dollar company that's now part of one of the biggest tech entities in the world, is frankly, embarrassing. Even more shameful is the fact that the warning is tucked away on the corporate staff blog: why aren't users being warned individually? Why isn't there any message on Tumblr.com itself? Too busy selling ads?