Buffer halts automated social-sharing service after it gets hacked and starts spewing spam

Buffer, a service that allows users of social networks like Twitter and Facebook to schedule their updates for specific times, was forced to take itself offline on Saturday after users found the feature was posting diet spam to their accounts. Founder and CEO Joel Gascoigne said on Twitter that the service had halted all outgoing posts from Buffer while it investigated the source of the scam.

The exploit appeared to affect a number of power users, including Union Square Ventures partner and Twitter backer Fred Wilson, as well as a number of corporate accounts that use Buffer to post updates at specific times throughout the day. In broad terms, it seemed similar tothe diet-spam attack that hit Instagram earlier this year and filled people’s timelines with photos of fruit.

Buffer co-founder Leo Widrich told Buffer customers that they should either change their Facebook passwords or revoke Buffer’s social-sharing permissions in order to prevent any unwanted posts, and that the company was doing everything it could to block the hack and restore the service. If you want to block Buffer from posting to your Twitter timeline, you can do that on the settings page, and you can do the same with Facebook’s application settings.

In an email sent to users (and also posted to Buffer’s blog), Gascoigne said that no billing or payment information was compromised or exposed, and that regular Buffer posting would resume once the issue was resolved. The email also said:

“I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now. I am incredibly sorry this has happened and affected you and your company. We’re working around the clock right now to get this resolved.

Update: On its blog Saturday evening, Buffer said it had “increased security for how store Twitter tokens and deployed a fix,” but was still working with Facebook to resolve the issue, and therefore connecting or posting was still disabled.

Late Saturday, the company said all posting through its service had been restored, and that it had “greatly increased the security” of how it handles messages, by encrypting all access tokens for both Twitter and Facebook as well as adding other measures.