Buffer is recovering from an attack on its systems that saw many of its customers send spam to their social networks.
The attack took place on Saturday, with the company continually documenting its response on its Open blog.
Buffer is used by individuals, but also businesses, to prepare and schedule social media posts on networks like Twitter and Facebook. With an investigation still ongoing, not all the details of the attack are available, but the company has changed its processes to encrypt OAuth access tokens and made further security changes to its API.
Although the spam posts appeared on Facebook and Twitter, these services have not been directly compromised. Instead, users provide access to their accounts by linking Buffer to these social networks and giving them the privilege to post on their behalf.
After working with Facebook, Buffer CEO Joel Gascoigne said that 30,000 Buffer users that had a Facebook page connected had spam posted on their behalf.
"This means that 6.3 percent of Buffer users on Facebook were impacted by this," he wrote.
Buffer has since revoked the permissions that it was given to post to Twitter, in effect expiring the OAuth access tokens that are believed to be compromised. Users are now required to reconnect their accounts in order for new tokens to be generated.
Customer billing data is handled by Stripe, a company that helps businesses accept web and mobile payments and, as such, was not affected by the attack. Additionally, customer passwords are hashed and salted.
Despite the attack, the company has been upbeat about the issue. The company's number one value is to always choose positivity and happiness, and number two on the list is to default to transparency.
Gascoigne has even been wishing well those cancelling their Buffer account, and complimenting them on their choice of competing product.