I was this many years old when I found out that Tumblr has had far more data leaks than they have come clean about. However, I tend to run in the right circles to make myself privy to that sort of information — I grew up around hackers and programmers, and I consider them “my people” before I would consider anyone else my people. It was humorous to find out that someone with… insider information on the May 2022 data leak for Tumblr had actually found my blog, read the posts that I had written in it about security concerns, and validated them by contacting me on Discord to let me know that all of my security concerns were correct. I was then walked through the exploit used to get into Tumblr’s back end and how one would… keep getting into Tumblr’s back end, and I was told what the hackers could do (and perhaps what they were most interested in doing), which I wrote about in more the last blog post of mine that addressed the data leak.

Again, I tried to bring this up to Tumblr in the form of Tweets directed to them. And again, I was literally ignored by Tumblr. If they want to ignore an active data breach that exposed passwords in plain text, that’s fine by me. I don’t have an account on their website any more, and I have absolutely no inclination on ever making one again if this is how things are going to be. I don’t think I’ve ever truly seen a website so utterly incompetent — they couldn’t even bother responding to me to thank me for my concerns, and I already know that their “site security” (if you can even call it that) has not addressed the exploit that the hackers literally uploaded to facilitate ease of use continuing to get back into Tumblr’s back end because it is seriously still there. I mean, how can you ignore security issues that are this glaring when there is tangible proof that they exist and are actually there? Do you not care about the safety of the information that users of your site post?

I can confirm that Tumblr has not patched the security breach that has now allowed more than one hacker access to the back end of their site, and… well, let’s be real, everything that they could ever want if they wanted to mess their whole site up. These people are expertly able to hide their tracks so that Tumblr does not know that they are there (aside from me having attempted to report a possible, probable, now actual security breach to Tumblr that they ignored). The passwords were not hashed by SHA-1 protocol like Tumblr claimed (“they were a mess, let’s just say that”), nor were they salted, but it was possible for the hackers to brute-force them into plain text… and it’s been possible for the hackers to find out what they are if the person changes them. I was told that Tumblr’s “security”, term used loosely, is more than a decade old (“if that”, person reiterating that it is a mess), easy to get into and do whatever they wanted with, even easier to hide their tracks so that Tumblr had no idea they were even there in the first place, and the easiest to get back into if Tumblr ever even patches it in the first place… which seems doubtful since I reached out to them as many times as I did to let them know that this was a potential problem, and then it became an actual problem for them when it was actually exploited. They gave no indication that they ever listened to me.

These hackers can also permanently take someone’s account from them by changing the e-mail and password on it. They’ve told me this. I have no reason in the world to doubt them given the screenshots that I’ve already been shown. But this is no longer my problem. I did what I could. The rest is up to… whoever.

But for the record, I can say with confidence that I literally don’t care what happens to them now.

If the equivalent of the Red Wedding happens to them because of their own overconfidence, let it.