Thousands of Tumblr Users Hijacked By Viewing Viral Post
Tumblr users can breathe easily once again following a few terrifying hours on Monday, during which accounts on the blog network were hijacked if users happened to visit the wrong post. By 1:30 p.m. ET, Tumblr reported that its engineers had resolved the issue.
Before Tumblr started cleaning up the problem, visiting the wrong post became increasingly easy to do. Sophos, an international Internet security firm, speculates that "the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages."
The worm-spreading post in question began with the words "Dearest 'Tumblr' users," a Tumblr spokesperson told NBC News.
Describing the infected post, the spokesperson advised, "If you have viewed this post, please log out of all browsers that may be using Tumblr immediately."
"If you see something on your [Tumblr] dashboard about emo kids and suicide and bleach, don't click it," the Daily Dot's Kevin Morris wrote, referring to the post's aggressively offensive contents.
The Verge's Adi Robertson, who saw his tech site's Tumblr blog fall to the post's malicious effects, described the messages reposted by affected accounts as "exhortation for users to commit suicide."
If you happened to open up a version of this post from your Dashboard or followed a link to it while logged into your Tumblr account, odds are that you were affected and helped the worm spread. A "few thousand Tumblr blogs" were hijacked by the time the blog network resolved the issue, according to Tumblr.
If you stayed logged out of your Tumblr account while viewing an affected blog, it seems that you were safe. And, despite what the malicious post claimed, deleting any copies of it through the Tumblr mass editor seemingly fixed things for your account, according to BuzzFeed's Ryan Broderick.
A spokesperson for the Daily Dot, another major site which was affected, explains that the hacking group believed to be behind the viral post is likely "responsible for several high-profile hoaxes in the past." Gawker's Adrian Chen, after speaking to someone claiming to be a "the PR guy" for the hacker group allegedly behind the exploit, reported that the group says it warned Tumblr about the vulnerability weeks ago.
"This was a serious issue that needed to be fixed," the individual reportedly told Chen. "Someone would have done a lot worse than just posting a message over and over if they didn't fix it right away." According to the same person, affected accounts weren't actually compromised — meaning that passwords remained safe. (This shouldn't stop you from changing your Tumblr password as a precaution, especially if you were affected.)