A serious attack involving a widely used Web communication format is exposing millions of end users’ authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday. The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they’re executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors.