Tumblr cleans up after hack

Thousands of Tumblr users have been inundated with spam, following a worm launched by hacking group GNAA.

The hack – which seems to have hit only a few thousand of Tumblr’s 80 million blogs – doesn’t appear to have any motive, beyond mischief.

Victims have been receiving a rather long, rambling message referring to ‘the most fucking worthless, contrived, bourgeoisie [sic], self-congratulating and decadent bullshit the internet ever had the misfortune of facilitating’.

it also warns that deleting the post will wipe the user’s entire Tumblr account – although this doesn’t appear actually to be the case.

Tumblr has acknowledged the problem in a blog post.

“This morning, some of you may have noticed a spam post appearing repeatedly on your Dashboard and on the blogs of a few thousand affected accounts. We quickly identified the source, removed the posts, and restored service to normal,” it reads.

“No accounts have been compromised, and you don’t need to take any further action. Our sincere apologies for the inconvenience. As always, we are going to great lengths to make sure this type of abuse does not happen again.”

According to Sophos, the hackers did the deed by taking advantage of Tumblr’s reblogging feature, so that anyone who was logged into Tumblr and visited one of the offending pages would automatically reblog the post. Malicious code was embedded inside.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” says Sophos’s Graham Clueley.