Buffer, the social-media management service that lets users schedule posts to Twitter, Facebook and Google+, has been hacked.
As a result, Buffer users who have authorized social sign-in through Buffer or linked their accounts to their social profiles, may have inadvertently sent out unauthorized spam messages.
When alerted to the situation on Twitter, Buffer sent out the following message:
Hi all. So sorry, it looks like we've been compromised. Temporarily pausing all posts as we investigate. We'll update ASAP.
 Buffer (@buffer) October 26, 2013
Buffer, which helps users easily save links to share at a later date, has 1 million registered users. It integrates with a host of social networks, and users can login with their Facebook or Twitter credentials.
It appears that Buffer's Facebook and Twitter spam messages were first sent at around 2:20 p.m. ET. I was alerted to a Buffer-related spam post on my personal Facebook page via Twitter.
A Twitter search confirms the timing.
Although I have a Buffer account, I almost never use the service. And while I have linked Buffer to my Facebook account, I've never used the service to post to my account (it was set "not to share" by default in my Buffer settings).
Most reports indicate that Buffer's hacked Facebook messages include the text, "For anyone that's reading the newsfeed right now, I just wanna say that I lost 8 pound this week "
@buffer it sucks to have a friend show me this pic of my fb status while on a road trip... pic.twitter.com/aiO3GlqTgT
 Katelyn Friedson (@kfriedson) October 26, 2013
However, Twitter doesn't seem to be exempt from this attack, judging from this tweet from the account of respected venture capitalist Fred Wilson:
Losing weight is easy with this new secret http://t.co/PixuopRXw3
 Fred Wilson (@fredwilson) October 26, 2013
Buffer said it is currently investigating, and has shut off all posting by the service.
In the meantime, if your Buffer account was compromised, we recommend changing your password (or creating one, if you haven't set it up), and de-authorizing the service from accessing your Twitter and Facebook accounts.
Because Buffer uses oAuth (and doesn't store your Twitter or Facebook passwords on its servers), it's probably not necessary to change your passwords to those services; but if you want to be absolutely cautious, go ahead and do so.
Update: The Buffer team just sent this email out to all users:
Hi there,
I wanted to get in touch to apologize for the awful experience we've caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.
Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We're working hard to fix this problem right now and we're expecting to have everything back to normal shortly.
We're posting continual updates on the Buffer Facebook page and the Buffer Twitter page to keep you in the loop on everything.
The best steps for you to take right now and important information for you:
Remove any postings from your Facebook page or Twitter page that look like spam
Keep an eye on Buffer's Twitter page and Facebook page
Your Buffer passwords are not affected
No billing or payment information was affected or exposed
All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we've resolved this situation
I am incredibly sorry this has happened and affected you and your company. We're working around the clock right now to get this resolved and we'll continue to post updates on Facebook and Twitter.If you have any questions at all, please respond to this email. Understandably, a lot of people have emailed us, so we might take a short while to get back to everyone, but we will respond to every single email.
- Joel and the Buffer team
Image: Buffer
 
No hay comentarios:
Publicar un comentario