Tumblr, the microblogging platform owned by Oath Inc., has fixed a security flaw that exposed private user data via its “Recommend Blogs” feature, which suggests accounts for other users to follow.

The vulnerability, described only as a “security bug,” was uncovered “a few weeks ago” via a report to the service’s bug bounty program and resolved within 12 hours of being reported.

According to Tumblr, “if a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog.” The service said it has no evidence that the “bug” was abused and saw “nothing to suggest” that unprotected account information was accessed, but said wanted to be “transparent” about the incident — weeks after the fact.

It may seem surprising that Tumblr still exists in 2018, but it still generates a decent amount of traffic. According to Alexa, it’s the 51st most trafficked site on the internet and 25th within the United States.

Digging into those numbers, after the U.S., the most popular countries visiting Tumblr are the U.K. and Germany, both of which, the former for the time being, are members of the European Union and hence subject to General Data Protection Regulation 2016/679.

GDPR dictates that companies must disclose a data breach, potential or otherwise, with 72 hours. Tumblr took, in its own words, “a few weeks” to confess to exposing the data of its users.

Oath, which consists primarily of properties formerly owned by Yahoo Inc., was established by Verizon Communications Inc. in April 2017. By providing services to residents of the EU, Oath is required to comply with EU law, as Google LLC found out that hard way in August. There’s no word yet on EU action, but the case could potentially become an interesting test of GDPR compliance.

Photo: 1nesdliveira/DeviantArt