Social Scheduling Tool Buffer Gets Hacked, Floods Twitter And Facebook With Weight Loss Spam

If you’re a user of social media scheduling app Buffer, there’s a good chance that your Saturday morning has been less than relaxing. There have been numerous reports circulating today purporting that the service has been hacked, and just a few moments ago the company officially confirmed those reports in a tweet.

“Hi all. So sorry, it looks like we’ve been compromised,” the terse statement reads. “Temporarily pausing all posts as we investigate. We’ll update ASAP.”

At this point the company has said little else about the cause of the issue, but its effects are clear: users who have linked their social accounts to the service have been posting sketchy weight loss links like the ones seen below. The extent of the hack is also unclear at this point, but Buffer Chief Happiness Officer (yes, really) Carolyn Kopprasch has said that it doesn’t seem like every user has been affected by the exploit.

UPDATE: The Buffer team has posted an update on its blog that shines just a little more light on what happened. Perhaps most importantly, neither user passwords or billing/payment information were exposed.

Screen Shot 2013-10-26 at 2.55.37 PM


Speaking of affected Buffer users, you’re probably in the clear if your Facebook or Twitter accounts haven’t already started spewing spam — following a tweet from CEO Joel Gascoigne, all sharing from the service has been temporarily halted as the team tries to figure out what’s wrong. A quick attempt to sign in from the Buffer homepage confirms the team’s response — it’s impossible to sign in using a Twitter account, and the corresponding Facebook app seems to have been pulled into sandbox mode so the Buffer API is inaccessible to outside users. Even so, it wouldn’t be a bad idea to revoke Buffer’s access to your accounts just in case — you can disable Buffer from connecting to your Twitter account here, while doing the same on Facebook will require a trip to your application settings page.

While the slew of spammy links only seems to have begun within the last hour or so, it appears as though the root cause of problem may have begun a little earlier than that. Judging by the company’s timeline of tweets, the issues began late last night when some users reported not being able to access the service, while others claimed that their scheduled social posts had disappeared from the Buffer backend. I’ve reached out to the company for some additional insight and I’ll update this post as I learn more.