So I got this email:
I was a little worried about clicking, but the URL did appear to go to https://www.tumblr.com/ so I clicked it. Then I landed on this page:
WTF? Yeah, I’m pretty sure I’m on tumblr.com, but no way I’m resetting my password through a link I clicked in an email. I don’t know why they thought this was a good idea. Even if people do follow this process, they’re just training tumblr users to be phishing victims in the future.
I’m not really sure it’s a great user experience to try to scavenge usernames in this way, either.