Hackers use Buffer to Send Out Spam on Twitter and Facebook

[Lee J <lee () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/view/35287/hackers-use-buffer-to-send-out-spam-on-twitter-and-facebook/

Buffer, a social media app, allows its users to schedule and automatically
post updates to social media sites such as Facebook and Twitter. Over the
weekend it started posting weight-loss spam tweets and posts.

But rather than lose friends, Buffer <http://bufferapp.com/%E2%80%8E>'s
speedy response, and open and transparent process, is being held up as an
example of how to respond to a breach. The first sign of the hack was the
appearance of the spam on users' Twitter accounts and Facebook walls.
Typical was: "Losing weight is easy with this new secret bit.ly/Hh1nnn."

Buffer's CEO Joel Gascoigne quickly
posted<http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/>
an
apology "for the awful experience we’ve caused many of you on your weekend.
Buffer was hacked around 2 hours ago, and many of you may have experienced
spam posts sent from you via Buffer." He stressed that no billing or
payment information was affected or exposed to the hackers.

Then, in a series of updates to the post, he kept users informed on what
had happened and what Buffer was doing to redress things. By 1pm PST he was
able to say, "No more spam updates should occur at this point, as all
posting has been disabled." By 5:30pm PST he could add, "Twitter should be
working again 100%."

By 8:00pm he was able to announce, "All posting is working again!" He
explained that Buffer intends to publish an in depth post about what had
happened and what the company has done to fix it, but in the meantime, "we
encrypted all access tokens for Twitter and Facebook and also added other
security measurements to make everything much more bullet proof."

The following afternoon he provided further details. According to Facebook,
around 30,000 Buffer users (just over 6% of its 476,000 Facebook-connected
users) had been affected. "Service has resumed with increased security
since the incidents," he added. Buffer has more than 1 million users in
total.

Gascoigne has also reiterated his promise to publish an in-depth account on
what happened. "We’re working with several security experts on tracking
down exactly how it was possible for the spammers to get into our system.
We’re making good progress on this, this morning."

But the most surprising part of the process has been the largely positive
and supportive response from Buffer's users. Rather than the usual anger
and accusations from affected users, the response has been favorable:
"Proof positive that full transparency and openness is the only way to go
when situations like this occur," commented one user. It appears that users
understand that hacks occur; but what they most want is to be kept informed
on what is happening.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.