Unauthorized access to some Buffer accounts has been resolved, here’s what happened

On February 26th, our team became aware that access was obtained to a number of Buffer accounts and those accounts were used to spread support for Russia’s invasion of Ukraine. The accounts affected did not have two factor authentication (2FA) enabled, indicating that this was likely related to reused passwords as there continues to be no indication of a breach to Buffer.

In total, 1,552 accounts were accessed, and of those, 618 accounts posted unauthorized content for a total of 766 unauthorized posts sent. They were primarily sent to Twitter (505 posts) and Facebook (233 posts), with the final few sent on LinkedIn (28 posts).

Our team quickly took action to stop further unauthorized posts from being sent and successfully removed 100% of unauthorized posts across Twitter, LinkedIn, and Facebook . We also contacted every impacted Buffer user with recommended steps to take the same day.

We're still investigating the origin of these posts and in the meantime are continuing to encourage all Buffer users to turn on 2FA for your Buffer account.

Live updates

Update 7: March 1st, 2:57 pm EST

Our team was able to access and delete the final 4% of unauthorized posts sent via LinkedIn, which completes the updates for this blog post.

Update 6: February 27th, 9:08 am EST

Since our last update, our team has successfully removed unauthorized posts on Twitter and Facebook (96% of total posts). We’ve hit a snag with LinkedIn posts and are still working to remove those remaining 28 posts.

Every impacted Buffer user whose account was affected has been contacted with recommended steps to take. If you were impacted and need further assistance or our team can help with anything please get in touch via hello@buffer.com.

We are so grateful for your trust and patience while we got to the bottom of this. 💙

We’ll keep this blog post updated as our team continues to investigate the origin of these unauthorized posts.

Update 5: February 26th, 7:49 pm

Our first priority has been investigating the unauthorized access into Buffer accounts while preventing future access and blocking suspicious traffic. Now, we are beginning the process of removing unauthorized posts and are aiming to successfully remove all unauthorized posts.

Update 4: February 26th, 6:49pm EST

None of the 1,552 affected accounts had two factor authentication (2FA) enabled, further indicating that this was likely related to reused passwords. We are continuing to investigate. In the meantime, here’s how to turn on 2FA for your Buffer account.

Update 3: February 26th, 6:20 pm EST

Of the 618 Buffer accounts that posted unauthorized content, 766 posts were sent in total:

• 505 (66%) to Twitter
• 233 (30%) to Facebook
• and 28 (4%) to LinkedIn

Our team has taken steps to stop any further unauthorized posts from being sent.

Update 2: February 26th, 5:48 pm EST

This affected 1,552 accounts. Of those, 618 accounts posted unauthorized content. Our current understanding is that access was obtained through individual accounts, not through Buffer, likely through reused passwords, though we are not yet certain.

Update 1: February 26th, 5:05 pm EST

We’ve become aware that access was obtained to a number of Buffer accounts which have been used to spread support for Russia’s invasion of Ukraine. This is very concerning to us. So far there is no indication of a breach to Buffer. We will update this thread as we know more.