Tumblr users are currently being hit by a massive phishing scam that is tricking them into unknowingly handing over their login credentials.
Using three rogue website names — tumblrlogin.com, tumblrq.com and tumblrsecurity.com — the phishing scam asks users of the popular blogging platform to "revalidate your credentials" in order to access "hidden pornographic content," researchers at the security firm GFI Labs wrote.
The phishing scam has been lurking on Tumblr for days, the researcher said, and has already resulted in the theft of more than 8,000 login credentials.
The researchers hypothesized that the stolen login credentials "are simply a way to test if those users are logging into other services with the same credentials — at that point, everything from email accounts to Internet banking sites could be fair game."
Tumblr is sending an email to users who email its support team about phishing issues instructing them to never enter their credentials on any site other than the legitimate Tumblr page, and to change their passwords if they feel their account has been compromised, the security firm Kaspersky Lab reported.
Tumblr acknowledged the problem in a Twitter post today (June 28) at 12:40 p.m. EDT, writing, "We're experiencing intermittent errors on certain pages and are working quickly to restore performance."