Modernizing Authentication — What It Takes to Transform Secure Access
Social media app Buffer recently acknowledged that it was hacked over the weekend, and that the hackers had posted several thousand spam posts on users' Facebook and Twitter feeds via Buffer (h/t The Next Web).
In a blog post, company founder and CEO Joel Gascoigne noted that Facebook had confirmed that 30,000 users who had a Facebook page connected, or 6.3 percent of Buffer users on Facebook, were affected and had spam posted on their behalf.
In response, Gascoigne said the company has added encryption of OAuth access tokens, and has changed all API calls to use an added security parameter. Buffer has also invalidated all Twitter access tokens, and added encryption for all Twitter access tokens moving forward.
Company CTO Sunil Sadasivan later explained that while the hackers were able to steal some users' Facebook and Twitter access tokens, they weren't able to access any passwords, billing information or other user information.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
"With these improvements your Twitter and Facebook accounts are not at risk any more," Sadasivan wrote. "Attackers will not be able to use this method to send spam any more."
Most importantly, Sadasivan added, "The method which left our data vulnerable is now locked and secure."