Ask HN: Buffer got hacked - does anyone know details?

[+] leowidrich|12 years ago|reply

I greatly apologize for the mess. Thanks for posting this! We're looking into this right now.

- All FB posts via Buffer are temporarily deleted. They will reappear again once we've enabled the FB app again (which we'll do once we're sure we're not compromised anymore).

- All Tweets are also stopped from sending.

We'll keep you updated from the @Buffer twitter and FB account.

- Leo

[+] FredericJ|12 years ago|reply

Do you know what has been compromised?

How do you store the Buffer passwords? SHA1(password+salt)?

[+] 300bps|12 years ago|reply

We're looking into this right now.

How'd they get into your system? Was it a Buffer Overflow?

[+] shortformblog|12 years ago|reply

Good work handling this; I'm glad to know that I didn't need to revoke access because you guys were already on top of it.

[+] emhart|12 years ago|reply

Best of luck. I, and hopefully everyone else, will be here, ready to buffer more content, when you get it sorted out.

[+] chmars|12 years ago|reply

Are you affiliated with Buffer App? Your profile is not that helpful …

[+] iriche|12 years ago|reply

Just got this email:

Hi there,

I wanted to get in touch to apologize for the awful experience we've caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.

Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We're working hard to fix this problem right now and we're expecting to have everything back to normal shortly.

We're posting continual updates on the Buffer Facebook page and the Buffer Twitter page to keep you in the loop on everything.

The best steps for you to take right now and important information for you:

Remove any postings from your Facebook page or Twitter page that look like spam Keep an eye on Buffer's Twitter page and Facebook page Your Buffer passwords are not affected No billing or payment information was affected or exposed All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we've resolved this situation I am incredibly sorry this has happened and affected you and your company. We're working around the clock right now to get this resolved and we'll continue to post updates on Facebook and Twitter.

If you have any questions at all, please respond to this email. Understandably, a lot of people have emailed us, so we might take a short while to get back to everyone, but we will respond to every single email.

- Joel and the Buffer team

[+] jlees|12 years ago|reply

Hmm, I was affected (my twitter account sent a spam post) but I didn't receive an email. I only found out about it via HN. :/

[+] abracar|12 years ago|reply

Outstanding email. Being hacked sucks but Buffer is handling it very well, at least communication-wise.

[+] ericabiz|12 years ago|reply

They're asking people to revoke Buffer as an app: https://www.facebook.com/bufferapp/posts/566007046805080

Brutal. Once you revoke it, there's little to no chance that you're going to re-invoke it.

I've seen stuff like this get ugly in the past [1] -- I really like and respect the Buffer founders and hope they can recover from this.

[1]: http://en.wikipedia.org/wiki/Gnolia

[+] mpeg|12 years ago|reply

Wow that's terrible, I guess it means they stored their access tokens with no encryption.

Personally feeling slightly smug now, I actually applied for a job there not too long ago and got a half hearted rejection without any feedback (or the courage to actually reject me). I have direct experience in doing security for a Facebook SPMD - we never got successfully hacked, and yet we ran scenarios like this in our mind all the time.

[+] dylanhassinger|12 years ago|reply

people love buffer

we'll re-invoke it

[+] joelgascoigne|12 years ago|reply

Sorry about this everyone, I know we messed up a lot of peoples' weekends.

We're working pretty hard to get to the bottom of everything.

Let me know if you have questions, I'll try and answer them all.

[+] boy88|12 years ago|reply

Hi Joel, any thing you would recommend other devs who're connecting with facebook or any other social media API to look into? maybe you can share what you guys have learned reg: security and how to do it better from this

[+] chime|12 years ago|reply

I think considering the gravity of the situation, you and your team has handled this nightmare pretty well so far. Any of us who write software could end up in a similar situation - be it caused by a small configuration mistake, a slightly out of date 3rd party library, or a skilled, determined attacker.

When I see a local credit union site written in VBScript get hacked, I don't worry too much because it was probably riddled with SQL-injection bugs that any script kiddie can exploit. However, I know that you guys take data security seriously (you and I Skyped a while ago) and yet this happened. That's what worries devs like me the most.

I think it would be very helpful to us all (including many of your tech-savvy users) if you would write a detailed blog entry describing what actually happened and how. I believe you're encrypting tokens now but how did they get exposed in the first place? Was it a framework issue? Unhandled exceptions? Wrong chmod on a log file? New employee hooking up trojan'ed PC to your internal network? Here's hoping you feel comfortable in sharing.

[+] borski|12 years ago|reply

Buffer is handling this exceptionally well; I'm impressed and it isn't easy. We've caught bugs that lead to this sort of exploitation in the past, so if anyone from Buffer is reading this: we're happy to help you out and offer a few free months of website security scanning while you figure out exactly what happened. Just email me at [email protected]

[+] antr|12 years ago|reply

I'm sorry for the Buffer team, it's not going to be a fun Saturday. The Buffer team is superb, both on product and customer service, so I'm sure things will be sorted out pretty quickly.

[+] morgante|12 years ago|reply

I really feel for the Buffer team. They make an awesome product and it's hard to prevent things like this, especially when social media doesn't generally have great security right now.

Though I don't want to be crass, I can't help but mention that I'm working on a project to help minimize the damage from these sorts of things. Would be interested in any feedback. (http://socialsecurity.io)

[+] nwh|12 years ago|reply

Can anybody explain weight loss spam to me? Is it just to gain credit card details, advertising clicks?

[+] deweerdt|12 years ago|reply

>Accounting for how much spam actually reaches the inbox, we estimate that only about 1 in 25,000 people needs to succumb to the temptation to make a grey-market purchase to make it protable for spammers to inundate everyone with advertisements at current levels.

http://www.davidreiley.com/papers/SpamEconomics.pdf

[+] lost-theory|12 years ago|reply

http://www.slate.com/articles/business/moneybox/2013/07/how_...

[+] edcrfv|12 years ago|reply

All our recent posts on social media (facebook, twitter) via buffer seem to have been automatically deleted. That's a lot of engaging posts, gone in a poof!

[+] iriche|12 years ago|reply

So it seems that they deleted all old posts without checking source?

[+] iriche|12 years ago|reply

I posted something on Facebook too it seemed, removed it instant. But yeah, kind of makes you think twice of what services to use

[+] dylanhassinger|12 years ago|reply

shit happens

buffer rocks and is handling this in an A+ way

[+] tokanizar|12 years ago|reply

I don't think you can find a service that makes a promise that they will never got hacked or be down. Common, look at what they've done to the situation.

[+] tomphoolery|12 years ago|reply

Here's the full, official response from Buffer: http://open.bufferapp.com/buffer-has-been-hacked-here-is-wha...

[+] pearjuice|12 years ago|reply

As bad publicity is publicity too; what is Buffer if I may ask? First time I heard of it.

[+] nathas|12 years ago|reply

Buffer is a service where you can link your Twitter/Facebook/etc accounts and share them at timed intervals. It "buffers" your updates for you so you can release them on a specific timeline.

[+] denzil_correa|12 years ago|reply

Buffer is a great app, particularly for Twitter. I use it regularly across all devices. I don't use it for Facebook though. I haven't observed anything untoward on my Twitter account. I am tempted to temporarily revoke app permissions on Twitter though.

[+] OoTheNigerian|12 years ago|reply

Before rushing to disable, do note:

All updates have been paused.

Passwords and payment information have NOT been compromised. --

It would be sorted out in a bit.

[+] unknown|12 years ago|reply

[deleted]

[+] langer|12 years ago|reply

Kudos to Joel, Leo and the team for how they're handling it so far. The speed with which Joel had a comprehensive email update out to every user was impressive. I hope they resolve it soon.

[+] zaidf|12 years ago|reply

How did they store the Facebook Graph tokens in the db? It's akin to a password so here's hoping they used 2-way encryption.

[+] homakov|12 years ago|reply

Providers should create anti-spam system, so when Clients get hacked they don't receive tons of spam on users' walls

[+] tehwalrus|12 years ago|reply

My twitter account seems unaffected - I've disabled the app in setting for now though.

(I will be re-enabling ASAP - I use this app a lot!)

[+] brackin|12 years ago|reply

There were no spam posts no the 5 accounts I've enabled so doesn't seem to effect everyone.

[+] nav|12 years ago|reply

@fredwilson account also got hacked. batch.me anyone (product plug ;)

[+] gregimba|12 years ago|reply

In my opinion its poor form in my opinion to be plugging your product here.

80 comments