Quick security lesson
The previous post was blunt but was required to spread the word as quickly as possible. I also want to mention that I have nothing against the author nor do I claim he is indeed using your information in ways that are unacceptable, but the fact remains that it is a possibility and it is terrible security practice to divulge your information in this way. Now, I will explain why I have reacted the way I have with tumblrcloud.
When you sign up for tumblr (or any other service on the web, i.e. google, amazon, msn, etc), you provide an e-mail address or username and password of your choosing to a) identify who you are (via your e-mail address/username) and b) authenticate that you are indeed who you say you are (via your password, which more often than not is used in multiple places). This lets you use a given service under an established identity without others using the same identity themselves. Now, in tumblr land, both your e-mail address and password (or rather, a hashed version of it [hopefully]) are protected in tumblr’s databases (which that too might not be secure, but let’s just say it is for now) and no one other than you or the tumblr staff should have access to this data. It is a best security practice to never EVER provide your established credentials with a site (such as tumblr) with any other site (such as tumbrlcloud).
By providing your identity to the tumblrcloud tool, which is not an official tumblr tool, you are now adding the author of that tool to the list of people who have access to your username and password, which establish identity. This information could be stored (which the author probably has to in order to access your tumblr posts to compute word usage) to be used for any purpose of the author’s choosing (such as gathering a database of e-mail addresses to sell to spammers or selling identities on the internet). There are no agreements (such as a privacy policy) and security audits to determine that your identity is secure.
Here’s a real world example of how dangerous this could be. How many of you use the same username and password combination for both tumblr and facebook? I’m sure many of you just responded with yes. By giving your identity credentials to the author of this tool, you’re effectively handing him the potential to access to your facebook account at any time. The worst part is, he could then use your facebook account to passively monitor your and your friends activities, without ever alerting you or your friends of his presence. It’s this kind of thing that we need to be very worried about.
In conclusion, please do not ever use your login information established on some site with others. If you did indeed use this tool (which many of you have), I recommend changing your tumblr password (and any other accounts that use this e-mail/password combination) as soon as you can. The last thing you want is someone to mess with your data and your identity.
I hope this was helpful and that you too will be more diligent with your browsing habits.
(Again, I’m not picking solely on this tool creator but I’m using this as an example to remind you to be very conscious of who you divulge your information to on the internet. I think the creator (who from what I can tell is in the computer industry) should be ashamed of releasing such a tool without fully understanding the ramifications of asking for users identities)
