How to recover from a Tumblr hack

Earlier this year, before news of a 2012 breach of Yahoo log-in credentials involving more than 500 million user accounts became public, Tori Sicklick realized that her Yahoo-owned Tumblr account had been hacked. It had been a while since she’d revisited her 8-year-old blog, and she couldn’t log in.

“I was really frustrated about it,” she said, observing that while there weren’t any spam posts published without her knowledge, the number of blogs her account followed had jumped from 150 to nearly 900.

While it’s always an option to leave Yahoo entirely, many people are looking for safe ways to remain within their familiar online communities. Sicklick, a senior at the University of Utah, was eventually able to reset her password and get back into the account. She unfollowed hundreds of other Tumblr blogs, changed her password, and enabled notifications about any new account activity.

Sicklick’s experience isn’t unique. Numerous Tumblr users, active and largely inactive, have complained on social media in recent months that their accounts have become compromised. The social-microblogging service, which Yahoo acquired in 2013, counts millions of well-educated 18- to 29-year-old urbanites as passionate users, according to Pew Research.

Breaches of Tumblr accounts can cause more pain than Sicklick experienced. Malware embedded in a 2012 post by troll group GNAA infected any Tumblr account that viewed it with a corresponding post calling for the blog publisher to commit suicide. The group claimed that it infected 8,600 users at the time. And a 2013 data breach, Tumblr disclosed this May, compromised the credentials of more than 65 million accounts (though because of the way they were stored, hackers would have a hard time actually using them).

“Social-media accounts are fairly high-value things in the digital underground,” says Lysa Myers, security researcher at ESET, because people tend to view information and click on links ostensibly shared by someone they trust with less scrutiny.

Tumblr announced at the end of July that its users will soon profit from ads, yet another reason to ensure that accounts are secure. If your Tumblr is hacked, security experts and Tumblr recommend taking the following steps.

Restrict email account access

“Very often, social-media hijacking happens by way of password resets,” says Christopher Budd, global threat communications manager at Trend Micro. If someone were to access the email account associated with your Tumblr, he could perform password resets for any other accounts linked to it.

So ensure that you’re still able to access that email address, and that there aren’t any unusual account activity or changes to permissions, such as email forwarding to an unfamiliar address.

Log into Tumblr

If you can do this, jump ahead to the next step. If you can’t, you’ll need to either perform a password reset or contact Tumblr for further support. Once you fill out the reset request, Tumblr will email you a link. You’ll also be asked to enter an authorization code, if you have two-factor authentication enabled.

Change your password, and enable two-factor authentication

Now that you’ve gotten in, “Close the door, and lock the door,” Budd says. Start by updating your log-in credentials with a strong, complex password that you don’t reuse on any other account.

You can add an extra layer of security by enabling two-factor authentication, thus forcing you to enter a code and a password to access your account. The code is sent via SMS or generated with an app such as Google Authenticator. To enable two-factor authentication, navigate to the settings tab. In the “Security” section, provide your phone number, and decide how you’d like to receive the authentication code.

Kick out suspicious sessions and connected apps

To ensure that an attacker isn’t logged into your account, scroll down to the “Active Sessions” section in the account settings. Remove any sessions that aren’t you by clicking the X next them.

If you’d like to be emailed when someone logs into your account, click the toggle switch next to “Email me about account activity” under the “Security” section.

Then navigate over to the toolbar on the right, and click “Apps.” Revoke access for any suspicious apps.

Delete unauthorized posts, and tell your followers

Now it’s time to clean up your blog. Delete any posts attackers might have created. Links embedded in the posts might be serving as phishing attempts or redirects to malware downloads.

Let your followers know that any links posted from your account recently could be malicious, and advise them to check that their account or machine hasn’t been compromised, if they’ve opened one.

“It’s not a fun message to put up, but it’s a responsible one,” Budd said.

Don’t forget about connected accounts

If you’ve previously allowed Tumblr to cross-post to other accounts, such as Facebook or Twitter, check the linked accounts too.

Likewise, if you’ve reused the password for your compromised Tumblr account on any other sites, check those sites, and update those passwords too.

For more help, visit Tumblr’s “Account Security” page to contact Tumblr support.