I can confirm that Tumblr has not patched the security breach that has now allowed more than one hacker access to the back end of their site, and… well, let’s be real, everything that they could ever want if they wanted to mess their whole site up. These people are expertly able to hide their tracks so that Tumblr does not know that they are there (aside from me having attempted to report a possible, probable, now actual security breach to Tumblr that they ignored). The passwords were not hashed by SHA-1 protocol like Tumblr claimed (“they were a mess, let’s just say that”), nor were they salted, but it was possible for the hackers to brute-force them into plain text… and it’s been possible for the hackers to find out what they are if the person changes them. I was told that Tumblr’s “security”, term used loosely, is more than a decade old (“if that”, person reiterating that it is a mess), easy to get into and do whatever they wanted with, even easier to hide their tracks so that Tumblr had no idea they were even there in the first place, and the easiest to get back into if Tumblr ever even patches it in the first place… which seems doubtful since I reached out to them as many times as I did to let them know that this was a potential problem, and then it became an actual problem for them when it was actually exploited. They gave no indication that they ever listened to me.
These hackers can also permanently take someone’s account from them by changing the e-mail and password on it. They’ve told me this. I have no reason in the world to doubt them given the screenshots that I’ve already been shown. But this is no longer my problem. I did what I could. The rest is up to… whoever.
But for the record, I can say with confidence that I literally don’t care what happens to them now.
If the equivalent of the Red Wedding happens to them because of their own overconfidence, let it.