Buffer, a social media app, allows its users to schedule and automatically post updates to social media sites such as Facebook and Twitter. Over the weekend it started posting weight-loss spam tweets and posts.
But rather than lose friends, Buffer‘s speedy response, and open and transparent process, is being held up as an example of how to respond to a breach. The first sign of the hack was the appearance of the spam on users’ Twitter accounts and Facebook walls. Typical was: “Losing weight is easy with this new secret bit.ly/Hh1nnn.”
Buffer’s CEO Joel Gascoigne quickly posted an apology “for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 2 hours ago, and many of you may have experienced spam posts sent from you via Buffer.” He stressed that no billing or payment information was affected or exposed to the hackers.
Then, in a series of updates to the post, he kept users informed on what had happened and what Buffer was doing to redress things. By 1pm PST he was able to say, “No more spam updates should occur at this point, as all posting has been disabled.” By 5:30pm PST he could add, “Twitter should be working again 100%.”
By 8:00pm he was able to announce, “All posting is working again!” He explained that Buffer intends to publish an in depth post about what had happened and what the company has done to fix it, but in the meantime, “we encrypted all access tokens for Twitter and Facebook and also added other security measurements to make everything much more bullet proof.”