If you’re a user of social media scheduling app Buffer, there’s a good chance that your Saturday morning has been less than relaxing. There have been numerous reports circulating today purporting that the service has been hacked, and just a few moments ago the company officially confirmed those reports in a tweet.
“Hi all. So sorry, it looks like we’ve been compromised,” the terse statement reads. “Temporarily pausing all posts as we investigate. We’ll update ASAP.”
At this point the company has said little else about the cause of the issue, but its effects are clear: users who have linked their social accounts to the service have been posting sketchy weight loss links like the ones seen below. The extent of the hack is also unclear at this point, but Buffer Chief Happiness Officer (yes, really) Carolyn Kopprasch has said that it doesn’t seem like every user has been affected by the exploit.
UPDATE: The Buffer team has posted an update on its blog that shines just a little more light on what happened. Perhaps most importantly, neither user passwords or billing/payment information were exposed.
Speaking of affected Buffer users, you’re probably in the clear if your Facebook or Twitter accounts haven’t already started spewing spam — following a tweet from CEO Joel Gascoigne, all sharing from the service has been temporarily halted as the team tries to figure out what’s wrong. A quick attempt to sign in from the Buffer homepage confirms the team’s response — it’s impossible to sign in using a Twitter account, and the corresponding Facebook app seems to have been pulled into sandbox mode so the Buffer API is inaccessible to outside users. Even so, it wouldn’t be a bad idea to revoke Buffer’s access to your accounts just in case — you can disable Buffer from connecting to your Twitter account here, while doing the same on Facebook will require a trip to your application settings page.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
While the slew of spammy links only seems to have begun within the last hour or so, it appears as though the root cause of problem may have begun a little earlier than that. Judging by the company’s timeline of tweets, the issues began late last night when some users reported not being able to access the service, while others claimed that their scheduled social posts had disappeared from the Buffer backend. I’ve reached out to the company for some additional insight and I’ll update this post as I learn more.
