October 28, 2013
Buffer Hack Fills Social Media Posts With Weight Loss Spam
Michael Harper for redOrbit.com - Your Universe Online
Social sharing tool Buffer was hacked on Saturday, resulting in thousands of spammy weight loss posts left on Facebook walls and Twitter streams.
Buffer is a scheduled social service, allowing users to set up times to send out Tweets, posts, and the like. Buffer also allows users to share posts between social sites like App dot net and Facebook.
Shortly after users began noticing the spammy posts, Buffer acknowledged the hack in a Tweet, saying: “Hi all. So sorry, it looks like we've been compromised. Temporarily pausing all posts as we investigate. We'll update ASAP.”
Buffer CEO Joel Gascoigne then posted a blog and emailed users apologizing for the hack and updating them on the latest news. The service was operational again late Sunday evening and, as an extra security measure, Buffer is asking users to once again reconnect their Twitter accounts. All told, some 30,000 Facebook users were affected by the hack.
Buffer users saw posts which read: "Losing weight is easy with this new secret,” and similar posts in their feeds and timelines on Saturday. Each post included a link which likely led those who clicked it to receive even more spam.
“I wanted to post a quick update and apologize for the awful experience we’ve caused many of you on your weekend,” wrote Gascoigne in his blog post. “Buffer was hacked around 2 hours ago, and many of you may have experienced spam posts sent from you via Buffer.”
“Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly,” he said.
As Buffer allows for delayed and scheduled posts, the service is used by many businesses, meaning this hack could have seriously affected the startups image and injured its customers. Shortly after Buffer suspended all posts, it discovered and eliminated the source of the weight loss messages before allowing posts to go through once more.
To prevent similar attacks, Buffer implemented security measures such as encrypting access tokens for both Facebook and Twitter posts. Any Facebook user affected by this attack can log back in to Buffer to retry their posts. Twitter users will be asked to reconnect their accounts before their posting will resume.
“We've greatly increased the security of how we handle all social messages being posted and everything is back to normal," wrote Gascoigne on Sunday evening.
He also says he plans to post an in-depth report covering how the spammers got access to Buffer accounts and what personal data they were given access to.
Such hacks are becoming common, affecting users who have their social sites linked or their personal data shared with a service. Though Twitter accounts are often hacked and Facebook users are often infected with a virus they picked up after clicking a bogus link, some hackers choose to enter through the backdoor and hit the services that have access to this information.
Earlier this year, for example, Pinterest, Tumblr and Twitter users had their information leaked after help desk software provider Zendesk had its servers attacked.