Edit: just confirmed that it works.
Basically let's you search users by id or email then give you ability to change their email/reset password.
Admin dashboard: http://img.skitch.com/20080415-ef6k9c8hpbasi9g137j6u4iqrs.jp...
Clicking "password": http://img.skitch.com/20080415-day5r87i8tbt9iaqrtf73tpnnd.jp...
Clicking "email": http://img.skitch.com/20080415-bg12j2y7wxmeqn44pmctcs69e3.jp...
And clicking "edit" tumblog: http://img.skitch.com/20080415-cg7iwrmc7gu2a58qkmcnfre6ka.jp...
Don't worry, I didn't do anything!
Ironically they don't obey one of the primary rules of usability for websites: have a link to contact info on the front page.
"Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe." - http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde/
Also has a great bookmarklet and a neat api.
You can essentially take control of Tumblr.
Errare humanum est.
Oh well, everyone overlooks something that seems obvious to someone else, I guess.
Saying security is less important because it's not a bank doesn't make sense because it's issues like this that can cost a company it's existence.
It is a problem, just saying that I vote the developer keeps his job cause i like tumblr
Tumblr has a great but small team, just like most of us on this site. As someone who makes mistakes, I offer them empathy and sympathy.
"We’d also like to make a special apology to Julia Allison, whose account was temporarily affected by our mistake."
Oh, by the way, if you can't code, have somebody look at your code.
The perverse irony of all of this is that the incident reminded me that I've got a Tumblr account. Before today, I hadn't logged in for over a year!
The thought of them just doing live deploy freaks me out.. not the best practice.. ever.. ever .. for a major site like theirs
I think it's a great lesson so I think I'll make my startup's vital information globally accessible (admin functions, source code, even my billing info for the ISP) and trust to my fellow human beings' goodwill.
I love you guys!!