Seven thousand HootSuite accounts have been compromised leading to an influx of dieting product spam peddled over Twitter.
After obtaining users' account details elsewhere, spammers were able to fraudulently sign into HootSuite – a popular dashboard tool that helps users manage their social networking profiles on Twitter, Facebook, LinkedIn, and other sites.
Once signed in, miscreants tweeted links to dubious sites advertising Garcinia Cambogia weight loss pills.
HootSuite said the 7000 users equated to about 0.01 percent of its user base.
The attacks happened after “unauthorised users” targeted a third-party application using OAuth, an authentication protocol that allows applications to interact which each other (or act on a user's behalf) without requiring them to share their passwords.
HootSuite said its software was not hacked to carry out the fraudulent logins. Instead, “a small number of successful attempts to login to HootSuite were made using user IDs and passwords that were acquired elsewhere,” the company statement said.
The fraudulent login attempts were detected 26 July with additional security measures implemented on 20 August.
As part of the spam campaign, scammers led users to bogus diet websites designed to collect their personal and financial information. In an effort to stop the spam, the third-party application that used OAuth was temporarily disabled.
“In this case, the unauthorised users accessed HootSuite through a third-party application using OAuth,” HootSuite said.
“In response, we've temporarily disabled access to OAuth from the affected third-party online service, and will continue to deploy efforts to keep our users safe.”
Following the incidents, HootSuite has advised all impacted users to change their username and password, and to make sure they don't reuse their credentials across multiple sites.
Last month, a hacker claimed that he was able to get his hands on the Twitter account information of more than 15,000 users, including their OAuth token data, by manipulating the authentication protocol OAuth.