Oh, no! Erotic photobloggers and magazine interns everywhere were rocked with the news today that microblogging service Tumblr was the site of a prolonged "phishing" attack that seems to have stolen thousands of Tumblr logins and passwords. How will we ever be able to trust our favorite dogs-wearing-human-clothes blogs again?
According to the GFI Labs blog, the scam presented Tumblr users "with the promise of 'hidden' pornographic content that requires entering login credentials to view." The users were redirected to a dialog on a fake Tumblr site—tumblriq(dot)com, tumblrlogin(dot)com, or tumblrsecurity(dot)com—and asked to provide their user names and passwords (and who wouldn't?! Adult content!). That information was then used to repeat the scam for all of the users following that user's account. GFI writes:
The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem. One of these sites actually pointed us in the direction of one of the dropzones used for the stolen logins, and the problem does indeed seem to be out of control at this point.
The data we saw contained 8,200 lines of text stretched across 304 pages of Microsoft Word, and even accounting for the inevitable duplicates and fake data that's still quite the goldmine of pilfered login credentials.
It's not a complicated scam, and for enormous services like Facebook, phishing chains like this aren't altogether uncommon. But on a smaller site like Tumblr, a scam like this can be fairly significant, especially given that Tumblr doesn't seem to have the manpower—or the willpower—to handle what's become an ever-growing problem with spam messages and accounts. Tumblr could be a fantastic platform—not just for legacy media trying to be cool—but if doesn't take care of its existing users, they'll leave quicker than it'd take to get a book deal out of your hipsters-riding-horses blog.