How Buffer App Handled Their Hacking The Right Way

By Nathan Young on October 28, 2013

Hackings are a part of life in the online world. Many major websites have experienced an episode of being hacked including the New York Times for example. So hackings can and will happen. The question about a hacking episode is how the company deals with the hacking. Customer service is critical when an online company gets hacked because people are concerned that their passwords, personal information, and even their payment information have been stolen. Over the weekend, the social-media management service Buffer, that lets users schedule posts to Twitter, Facebook and Google+, was hacked.

I use the free version of Buffer to schedule my updates to my Facebook page at: https://www.facebook.com/nvyoung and my Twitter account @nvyoung. Can’t use the paid version because I have been unemployed for 27 months now. So after I get home from covering events Saturday afternoon, I get this email saying:

I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.

Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly. I am incredibly sorry this has happened and affected you and your company. We’re working around the clock right now to get this resolved and we’ll continue to post updates on Facebook and Twitter.

Buffer was hacked by someone and they started to post spam messages on people’s Facebook and Twitter accounts like this one saying “For anyone that’s reading the newsfeed right now, I just wanna say that I lost 8 pound this week…” Yeah, this is one of those status updates that you know someone trustworthy would never post. Shortly after the spam started, Buffer temporary shut off all posting on their service and kept many people up to date on their Facebook and Twitter accounts. Understandably, some people were upset with their information possibly being stolen, but most people were impressed with their customer service.

Late Saturday night, I got another e-mail from Buffer and it reads:

I wanted to follow up with you after yesterday’s hacking incident. For many of you this has seriously disrupted your weekend – I’m sorry we caused that awful experience. The Buffer team has been working around the clock and I’m glad to say we’re back up and running. We have also spent all of today adding several security measures.

I want to apologize again and say that I’m incredibly sorry this has affected you and in many cases also your company. We’ve written a blog post with ongoing updates as we uncover the full details. What is left for us right now is to complete our technical analysis and take further security measures. We will follow up with another update on this soon.

When I heard of the Buffer hacking, I quickly disabled the app from my Facebook, Twitter, and LinkedIn accounts. Saturday night was fun since I had to manually post updates to Facebook and Twitter during the Hub Network Halloween Bash. But since Saturday night I have already reconnected my accounts and I am using Buffer again. I was never hacked and I did check my Facebook and Twitter accounts to make sure there were no spam updates. Facebook confirmed with Buffer that 30,000 Buffer users who had a Facebook page connected (out of 476,343 total connected pages to Buffer) were affected and had spam posted on their behalf. This means that 6.3% of Buffer users on Facebook were impacted by the hacking.

Buffer has now taken key security measures like adding encryption of OAuth access tokens and they have changed all API calls to use an added security parameter. Now, Buffer is even more secure than they were last week. And I will continue to use them for for my social media account updates. I am glad Buffer kept everyone up to date and solved this hacking quickly. Remember, hackings can happen to any website, it’s a part of life. Buffer is now more prepared for any future hackings.

I was really impressed with the way Buffer handled this hacking episode, and many people were impressed as well. I will continue to use Buffer for my social media needs. Now I really want Buffer to allow Google + profiles to be included, come on Google and release the API key!

Learn more about Buffer at: bufferapp.com.