Tumblr security breakdown leaves scenesters exposed for 40 minutes
While editing administrator code today, Tumblr founder David Karp and developer Marco Arment inadvertently published private user data for 40 minutes. Karp reports on his blog that 27 email addresses were exposed. He told us that four accounts — including popular Tumblr blogs by Julia Allison and Pete Nidzgorski — had their passwords changed. Karp told Valleywag he knows who changed the passwords. "He was a registered user, so we were actually able to look up his info," Karp said. The suspected hacker won't lose his Tumblr account. "I don't think we'll be taking this out on him," Karp said.
We have a lot of info on what happened and we were able to recover quickly. We're very comfortable with our infrastructure, and will put some more practices in place to deal with any future human errors. We also feel extremely fortunate that our users have been so forgiving.