a vulnerability that it says could have exposed private user data , according to an announcement by the microblogging and social networking site . The information that could h ave been viewed Attack.Databreachby unauthorized parties includes email addresses , hashed and salted passwords , locations , previously used email addresses , and last login IPs . The flaw r esided in Vulnerability-related.DiscoverVulnerabilitythe “ Recommended Blogs ” feature in the desktop version of Tumblr . The widget shows logged-in users a list of blogs that may be of interest to them . “ If a blog appeared in the module , it was possible , using debugging software in a certain way , to view certain account information associated with the blog , ” said Tumblr . D iscovered and reported Vulnerability-related.DiscoverVulnerabilitythrough the platform ’ s bug bounty program several weeks ago , the security vulnerability w as resolved Vulnerability-related.PatchVulnerabilitywithin 12 hours . The New York-based company also said that it couldn ’ t determine which specific accounts were at risk , although its analysis is said to have shown that “ the bug was rarely present ” . The site , which has over 440 million blogs , gave assurances to its users that it has found no evidence to suggest that any data was actually lifted . At the same time , the platform said that users needn ’ t take any action . In these cases , “ taking action ” usually means “ Change your passwords ! ” Nevertheless , the company ’ s decision to d isclose Vulnerability-related.DiscoverVulnerabilitythe flaw is because of what Tumblr says is its commitment to transparency and because it believes that “ it ’ s simply the right thing to do ” . It has also taken steps to “ improve monitoring and analysis procedures to help it i dentify Vulnerability-related.DiscoverVulnerabilityand f ix Vulnerability-related.PatchVulnerabilityany similar bugs in the future ” . Tumblr has joined the ranks of other high-profile technology companies , such as Twitter , Facebook and Google , that h ave all revealed Vulnerability-related.DiscoverVulnerabilityvulnerabilities in recent weeks that could have b een exploited,Vulnerability-related.DiscoverVulnerabilityor were actually e xploited,Vulnerability-related.DiscoverVulnerabilityfor h arvesting Attack.Databreachthe private information of some users . Back in 2016 , Tumblr had its hands full with a security incident that c ompromised Attack.Databreachthe details of 65 million Tumblr users as a result of a breach Attack.Databreachdating back to 2013 .
For years , researchers , hackers , and even some politicians h ave warned Vulnerability-related.DiscoverVulnerabilityabout stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .