Buffer Users' Facebook and Twitter Feeds Spammed After Hacking
Buffer, the social-media management service that lets users schedule posts to Twitter, Facebook and Google+, has been hacked.
As a result, Buffer users who have authorized social sign-in through Buffer or linked their accounts to their social profiles, may have inadvertently sent out unauthorized spam messages.
When alerted to the situation on Twitter, Buffer sent out the following message:
Hi all. So sorry, it looks like we've been compromised. Temporarily pausing all posts as we investigate. We'll update ASAP.
- Buffer (@buffer) October 26, 2013
Buffer, which helps users easily save links to share at a later date, has 1 million registered users. It integrates with a host of social networks, and users can login with their Facebook or Twitter credentials.
It appears that Buffer's Facebook and Twitter spam messages were first sent at around 2:20 p.m. ET. I was alerted to a Buffer-related spam post on my personal Facebook page via Twitter.
A Twitter search confirms the timing.
Although I have a Buffer account, I almost never use the service. And while I have linked Buffer to my Facebook account, I've never used the service to post to my account (it was set 'not to share' by default in my Buffer settings).
Most reports indicate that Buffer's hacked Facebook messages include the text, 'For anyone that's reading the newsfeed right now, I just wanna say that I lost 8 pound this week...'
@buffer it sucks to have a friend show me this pic of my fb status while on a road trip... pic.twitter.com/aiO3GlqTgT
- Katelyn Friedson (@kfriedson) October 26, 2013
However, Twitter doesn't seem to be exempt from this attack, judging from this tweet from the account of respected venture capitalist Fred Wilson:
Losing weight is easy with this new secret http://t.co/PixuopRXw3
- Fred Wilson (@fredwilson) October 26, 2013
Buffer said it is currently investigating, and has shut off all posting by the service.
In the meantime, if your Buffer account was compromised, we recommend changing your password (or creating one, if you haven't set it up), and de-authorizing the service from accessing your Twitter and Facebook accounts.
Because Buffer uses oAuth (and doesn't store your Twitter or Facebook passwords on its servers), it's probably not necessary to change your passwords to those services; but if you want to be absolutely cautious, go ahead and do so.
We've reached out to Buffer for comment, and will post more information as it becomes available.