Buffer has sent an email warning to its users, warning that its systems were compromised by hackers who have posted spam messages from customers’ Twitter and Facebook pages.
According to the Buffer website, over one million people use their service to share messages on Twitter, Facebook and other social media sites at the best time of day for maximising engagement.
The good news is that passwords have, apparently, not been compromised – and the hackers did not gain access to billing or payment information.
However, the fact that spam messages have been sent via the service through users’ social media accounts is clearly damaging.
Here’s an example of one of the spam messages that was sent, promoting a miracle diet:
Joel Gascoigne, the founder of Buffer, apologised for the inconvenience in a warning email to users – advising them to check their social media accounts for posted messages that looked like spam.
I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.
Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly.
We’re posting continual updates on the Buffer Facebook page and the Buffer Twitter page to keep you in the loop on everything.
The best steps for you to take right now and important information for you:
* Remove any postings from your Facebook page or Twitter page that look like spam
* Keep an eye on Buffer’s Twitter page and Facebook page
* Your Buffer passwords are not affected
* No billing or payment information was affected or exposed
* All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we’ve resolved this situation
Earlier, Buffer’s Facebook page advised users to change their passwords or disconnect the Buffer Facebook app from their accounts – as a means of preventing further spam posts from being made.
Of course, spammers will do anything they can to increase the number of people they can get to click on their links – and if they manage to send messages using the Facebook or Twitter account of a legitimate user, they know that friends and family are much more likely to click on the link, believing it to be legitimate.
Furthermore, it’s easy to imagine how the messages could be used for the purposes of phishing or spreading malware.
Although Buffer appears to have the situation under control, and more spam messages shouldn’t be sent, you may still wish to revoke access by the Buffer service to your Twitter and Facebook accounts until the all-clear is given.
Little is known so far about how the hackers managed to compromise Buffer, and one hopes that the site will quickly shut down any security weaknesses. One has to feel some sympathy for the firm, which has fallen victim to a criminal act.
But you have to feel even sorrier for the social media users who have had their timelines and newsfeeds sullied by the spam messages sent by the hackers.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.