Since my last blog post on Pinterest users’ accounts being hacked, I have been discussing possible causes of the hack with affected users (see the 25 comments here). The hacking issue seems to be getting worse, and now Pinterest is proactively addressing this issue by locking down accounts that they determine are exhibiting suspicious activity.
Users are getting locked out of their accounts when a possible hack is detected by Pinterest.
On July 10th, Pinterest posted an update to their Account Security customer service page. This update acknowledged that simply changing your password did not always prevent your account from being hacked again. What they suggested that users do if changing the password didn’t work, was extreme.
- If changing your password does not solve the issue, change your password again and immediately deactivate your account. Please return to this support article in 1-2 weeks for additional instructions; we are working on a process that will enable users to reset their accounts.
- Unfortunately, we are unable to restore any deleted boards or pins.
Essentially, the user could lose all their pins, and Pinterest would get back to the user in 1 to 2 weeks.
On July 13th, Pinterest posted a new update. In it they let users know that Pinterest would be locking some accounts that had suspicious activity, and the post provided details on how to reset passwords. They indicated it would take several days to get accounts reopened, and they indicated that previous pins wouldn’t be lost.
Here is an example message a user would receive if their account is locked.
User survey provides clues into what Pinterest is investigating
On Monday (7/16), Pinterest published a support page that has a Google Docs survey on it. All users who are locked out or have had suspicious pins posted on their account are being asked to fill out the survey. Pinterest likely doesn’t know the exact cause of these hacks and is trying to use detail user feedback to determine what is causing these accounts to be compromised.
The questions in the survey seem to show that Pinterest is casting a broad net in terms of figuring out this issue. Topics in the survey include:
- Compromised email, Facebook, or Twitter accounts
- Gift certificates or rewards requiring a Pinterest Login as well as email phishing
- Third party Pinterest clients and apps
- How the user accesses Pinterest, even getting as detailed as different phone models
- The use of antivirus software
- Browser based 3rd party plugins, add-ons and tool bars
There is no mention of LinkedIn, LastFM or Yahoo accounts. I speculated in the comments of my last blog post , that someone could be using hacked information from those sites to access Pinterest user accounts. The survey questions would lead me to now believe that, that theory was incorrect.
If it was simply an issue of users not being careful with their password or clicking on compromised links, it is likely that Pinterest would not be digging as deep into this issue as they are.
Advice for Pinterest users
If you are hacked, changing your password is the best step to protect yourself.
If you are not hacked, you should be using a password that is unique to your Pinterest account.
At this point, I have to advise that you don’t enter any contests on Pinterest. While many people had their accounts hacked without clicking on anything, it seems that the Pinterest hacks hit the sweepstakes community particularly hard. The likely reason is clicking on hacked pins which are often promotional in nature.
Pinterest has published their own lists of ways to protect your pins. I recommend you check it out.
If you have been affected by the hack, you are welcome to post a comment with any details you think might help others figure out the cause. You can also comment in our active discussion here.
Update 7/21: Pinterest responds to IDG about the hacking. They say:
“We suspect this spam may be related to the recent leaks of credentials from other sites, which serves as an important reminder [for users] to have unique logins and passwords”