I can confirm that Tumblr has not patched the security breach that has now allowed more than one hacker access to the back end of their site, and… well, let’s be real, everything that they could ever want if they wanted to mess their whole site up. These people are expertly able to hide their tracks so that Tumblr does not know that they are there (aside from me having attempted to report a possible, probable, now actual security breach to Tumblr that they ignored). The passwords were not hashed by SHA-1 protocol like Tumblr claimed (“they were a mess, let’s just say that”), nor were they salted, but it was possible for the hackers to brute-force them into plain text… and it’s been possible for the hackers to find out what they are if the person changes them. I was told that Tumblr’s “security”, term used loosely, is more than a decade old (“if that”, person reiterating that it is a mess), easy to get into and do whatever they wanted with, even easier to hide their tracks so that Tumblr had no idea they were even there in the first place, and the easiest to get back into if Tumblr ever even patches it in the first place… which seems doubtful since I reached out to them as many times as I did to let them know that this was a potential problem, and then it became an actual problem for them when it was actually exploited. They gave no indication that they ever listened to me.
These hackers can also permanently take someone’s account from them by changing the e-mail and password on it. They’ve told me this. I have no reason in the world to doubt them given the screenshots that I’ve already been shown. But this is no longer my problem. I did what I could. The rest is up to… whoever.
But for the record, I can say with confidence that I literally don’t care what happens to them now.
If the equivalent of the Red Wedding happens to them because of their own overconfidence, let it.
This is a screenshot of me and a friend ripping on Tumblr’s “site security”. They continue to refuse to acknowledge that there was a recent data breach, or data leak, even though passwords have now been brute-forced into plain text (they did not use SHA-1 cryptography to hash their passwords, let alone salt them… and I’m not going to get into the fact that passwords hashed with SHA-1 cryptography are now easier to brute-force, that site managers should look into using higher-leveled cryptography). But it is what it is, and I tried to alert them to the problem. It’s out of my hands now. It’s not my problem. I don’t have an account on their site, so none of my data is going to continue to be compromised, especially since I use burner e-mails for fandom accounts and do not replicate passwords. However, I can’t say the same for their other users. I can’t speak for them. But even the barest of statistical analyses would have to say that some of them would have to be using professional e-mails for these sorts of things, that they were replicating passwords, or even that they were using universal passwords (in 2022 of all years, which I am not even going to get into… heh).