Tumblr is a Website where users can share photos, music, videos, quotes and posts, all of which can be customized with different colors and themes.
On its “About” page, Tumblr boldly suggests that users “follow the world’s creators.” With only 128 employees, Tumblr boasts 83.7 million blogs, 37.4 billion posts and a whopping 18.1 billion monthly page views.
So, all is well and good in Tumblr land, right? Perhaps most of the time. However, last week a worm struck Tumblr and infected some of the most widely read blogs, including those of CNET, Reuters and USA Today, as reported by CNET.
A reported hacker group called GNAA took credit for the attack, and stated on its Twitter profile that 8,600 Tumblr users were impacted; however, Tumblr responded in a blog post that no accounts were actually compromised, according to CNET.
When the attack occurred, Tumblr promptly told its users to log out of browsers using Tumblr and stated that it was diligently seeking to fix things, as reported by CNET.
Tumblr was able to resolve the issue later the same day of the attack; but, according to CNET, before then, when users went to a compromised Tumblr site, they would view a nasty post with swear words that criticized the site and its users in very harsh terms.
Security provider Sophos noted in a blog post, as reported by CNET, that the worm capitalized on Tumblr’s reblogging function, such that a user who was logged onto Tumblr would automatically reblog the infected post if she visited a compromised page. This caused malicious code to spread like a Web virus; mostly likely, Tumblr’s filters were circumvented by the hijacking of a legitimate Tumblr maintenance message.
Tumblr obviously cured this particular problem relatively quickly. But this scenario shows why cybersecurity is a real worry for social media and other sites. Any and all technological steps that can reasonably prevent security breaches before they happen should be seriously considered and implemented when feasible.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at ejsinrod@duanemorris.com. To receive a weekly email link to Mr. Sinrod’s columns, email him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.