You may have noticed some confusing social media messages from theCUBE or SiliconANGLE over this past weekend. That’s because the social media scheduling app Buffer had a weekend security incident that resulted in a hacking of the service for many customers, us included. What was sent out were weight loss spam links. The company responded quickly over social media confirming that there was an issue at first, but followed that up with a blog post from CEO Joel Gascoigne:
I want to apologize again and say that I’m incredibly sorry this has affected you and in many cases also your company. We’ve written a blog post with ongoing updates as we uncover the full details.
We have worked with our partners to identify the source of the breach, and the vulnerability has been closed. What is left for us right now is to complete our technical analysis and take further security measures. We will follow up with another update on this soon.
I want to invite you again to hit reply to this email or post a comment on our blog post. We will be sure to respond to you as fast as we can.
One piece of good news was that there was no compromise of financial information or user passwords.
Buffer did a number of great things here, reaching out to their community immediately and getting effective action out of the gate, assessing the situation, communicating that situation, and fixing that situation. From the details blog post:
We’ve discovered the source of the breach and closed the vulnerability. Keep reading for the full story.
Update 9: We’ve discovered the exact details of how the Twitter and Facebook access tokens were obtained to send spam posts.
It turns out this compromise was executed through a backdoor from a partner, MongoHQ that managing the Buffer database. Apparently a password belonging to a MongoHQ employee was stolen, then used to pull the target database information, scripted to grab the social access tokens that would give them the access to spam user accounts. Again, Buffer and MongoHQ’s response to this incident were remarkable, and kept users informed in a very direct and up-to-date manner.
Security Opportunities for Behavioral Security Models
The whole tale highlights one of the most understated elements in security, and that is a risk that comes from partnerships, third-party scenarios, contractors, etc. Further, with a behavioral analysis and notification security system, the machine data analysis type of systems we profile here regularly, this is exactly the kind of case this could have been quite useful in. The opportunity would be at that point which a foreign script would begin to execute or when a valid password was utilized from a non-standard location. At the end of the day, we have some pretty specific information on the compromise, and it indicates the ongoing threat when you are a target, even when the goal is something as seemingly trivial like junky spam for some kind of weight-loss juice or something. The tale from this incident here is that we had a popular service compromised, a great response and postmortem for the community – the problem has been fixed. This is a rare public insight into a breach response, because the assets involved were not exactly critical, let’s face it this was just spam – this time. The security community however will recognize that hackers look for opportunity and attack there. Next-generation security systems only make sense in the face of such challenges.