Tag Archives: hacked

LLsocial.com has been covering this issue and has details, advice and a link to a Pinterest survey you can fill out if you have been hacked

Mysterious cause of Pinterest user hacks remains unknown. Pinterest now locking accounts.

Since my last blog post on Pinterest users’ accounts being hacked, I have been discussing possible causes of the hack with affected users (see the 25 comments here). The hacking issue seems to be getting worse, and now Pinterest is proactively addressing this issue by locking down accounts that they determine are exhibiting suspicious activity.

Users are getting locked out of their accounts when a possible hack is detected by Pinterest.

On July 10th, Pinterest posted an update to their Account Security customer service page. This update acknowledged that simply changing your password did not always prevent your account from being hacked again. What they suggested that users do if changing the password didn’t work, was extreme.

  • If changing your password does not solve the issue, change your password again and immediately deactivate your account. Please return to this support article in 1-2 weeks for additional instructions; we are working on a process that will enable users to reset their accounts.
  • Unfortunately, we are unable to restore any deleted boards or pins.

Essentially, the user could lose all their pins, and Pinterest would get back to the user in 1 to 2 weeks.

On July 13th, Pinterest posted a new update. In it they let users know that Pinterest would be locking some accounts that had suspicious activity, and the post provided details on how to reset passwords. They indicated it would take several days to get accounts reopened, and they indicated that previous pins wouldn’t be lost.

Here is an example message a user would receive if their account is locked.

(screencap from @sfonzi5)

User survey provides clues into what Pinterest is investigating

On Monday (7/16), Pinterest published a support page that has a Google Docs survey on it. All users who are locked out or have had suspicious pins posted on their account are being asked to fill out the survey. Pinterest likely doesn’t know the exact cause of these hacks and is trying to use detail user feedback to determine what is causing these accounts to be compromised.

The questions in the survey seem to show that Pinterest is casting a broad net in terms of figuring out this issue. Topics in the survey include:

  • Compromised email, Facebook, or Twitter accounts
  • Gift certificates or rewards requiring a Pinterest Login as well as email phishing
  • Third party Pinterest clients and apps
  • How the user accesses Pinterest, even getting as detailed as different phone models
  • The use of antivirus software
  • Browser based 3rd party plugins, add-ons and tool bars

There is no mention of LinkedIn, LastFM or Yahoo accounts. I speculated in the comments of my last blog post , that someone could be using hacked information from those sites to access Pinterest user accounts. The survey questions would lead me to now believe that, that theory was incorrect.

If it was simply an issue of users not being careful with their password or clicking on compromised links, it is likely that Pinterest would not be digging as deep into this issue as they are.

Advice for Pinterest users

If you are hacked, changing your password is the best step to protect yourself.

If you are not hacked, you should be using a password that is unique to your Pinterest account.

At this point, I have to advise that you don’t enter any contests on Pinterest. While many people had their accounts hacked without clicking on anything, it seems that the Pinterest hacks hit the sweepstakes community particularly hard. The likely reason is clicking on hacked pins which are often promotional in nature.

Pinterest has published their own lists of ways to protect your pins. I recommend you check it out.

If you have been affected by the hack, you are welcome to post a comment with any details you think might help others figure out the cause. You can also comment in our active discussion here.

Update 7/21: Pinterest responds to IDG about the hacking. They say:

“We suspect this spam may be related to the recent leaks of credentials from other sites, which serves as an important reminder [for users] to have unique logins and passwords”

Avoid these images that appeared on hacked Pinterest boards accounts

Protect yourself from the newest hacking of Pinterest accounts.

Update 7/19: The article below is still relevant, and you should check out the comments for ongoing discussion, but I have another update about Pinterest locking accounts along with an official Pinterest hacking survey that all users who had their accounts hacked should complete.

Updated 7/8: Based on user experiences, if you have been hacked, the first thing you should do is change your Pinterest password. This worked for at least one of the Pinterest users who posted in our comments.

It is unclear how hackers are getting access to Pinterest accounts, but in the last three days there has been a number of signs that hacking is again becoming a problem on Pinterest.

Traffic to my post on the March hacking of Pinterest has increased considerably starting on July 5th, and you can find a number of people on Twitter complaining about being hacked.

A blogger for the Identify Theft Resource Center posted a hacking experience. This person believes the issues

might have started on Facebook.

Just now I happened to come across a Facebook post about how to make a very cool iPad case using wallpaper so I thought I would go ahead and pin it so I could check it out later. This is when the trouble began.

I have several different “boards” on my Pinterest to organize what I find online, but the board to which this particular link wanted to post to was called “Make Money Online”.  Fairly certain that I had not created that board, I logged into the site and found that several boards had been created and items had been pinned to them.  The pinned items, when clicked on, would lead someone to either an online job scam or a malware download.

Since I first published this article, two people shared their experiences in the comments, and neither of them believe that they got hacked by clicking something in Facebook.

Pinterest users have also been commenting on some of these hacked pins trying to figure out the issue. A sample of the comments include:

I have been deleting these. I get at least two a day now!

Glad to see I’m not the only one having this pop up on my account and unwanted at that! I’ve reported it every time with no kind of feedback! Every day it reappears under some other board that I didn’t create!

Blogger C McKane has a blog post with some tips on what to do if you account has been hacked.

I included some of the images the hackers have been using at the top of this post. Definitely don’t click on any pin that has these images in it.

If you account has been hacked, please share your story in the comments. If you have a guess as to why the hack might of happen, please post the details so others can avoid this issue.

 

1 Spam Pin Delete Pin Process

Pinterest hacked. Hundreds of thousands of users are unknowing posting spam pins.

I have two new blog posts with details of the July hacking of Pinterest accounts.

Pinterest hack details

On Saturday morning Pinterest users began seeing pins show up on their boards without ever pinning them, and in this case it appears users did nothing wrong.

I observed a $1000 free Walmart card image show up around 8AM CST when looking at the feed of people I follow, but I didn’t think anything of it. This afternoon Craig Fifield blogged about his wife’s experience with the spam pins. By this evening hundreds of thousands of these pins were showing up on Pinterest. Each spam offer pin (Walmart, Bestbuy and Starbucks were the main ones) had tens of thousands of repins listed in connection with them.

These spam offer pins aren’t happening because a user clicks on any spam links; meaning it is highly likely that Pinterest itself or some process in their system has been hacked.

In writing up this post, I went to the @free Pinterest page. I didn’t see any of these spam pins, so I started writing up what I learned. Five minutes later my wife sent me an instant message indicating that the @free Pinterest account had sent out the Best Buy spam offer. I didn’t do anything except go to the Pinterest website. I was already logged into my account.

My initial thought this afternoon was that someone could be using a brute force attack to figure out passwords, but based on my own experience and the vast nature of the pins, it looks increasing likely that someone has hacked Pinterest and figure out how to pin to a large number of people’s boards. Even a Pinterest engineer has two spam offers on his board as I write this. Kelly Lieberman pointed this out on Facebook.

Some good sized brands like Lidnt Chocolate also are putting out these offers.

It is very possible that no passwords have been compromised, but rather someone is actually hacking Pinterest itself. With the quantity of these spam pins, it looks to be the work of some kind of bot. I reported over a month ago about an account that followed over one million Pinterest accounts in one day. This seems like a similar technological exploit, but with much greater implications.

In addition to the unauthorized posts, its seems that the hack makes the edit button disappear on some of the offending pins. Where the edit button should have been is just a blank space. I list below a way to resolve this issue with a quick work-around. But the removing of this button points to how sophisticated the hack is and how open the Pinterest system is to exploiting.

One of the offending accounts that seemed to the basis for the Best Buy gift card offer is now returning a 404 error, so hopefully Pinterest is addressing this issue.

Update 3/18: The hack occurring on St. Patrick’s Day likely allowed these pins to go unnoticed by the Pinterest team for longer than would have occurred on normal weekday. Starting last night around 10PM CST, Pinterest began deleting the offending pins. As of this morning, a review of multiple Pinterest streams indicated that the hack issue seems to be resolved.

If your account has been hacked, you can delete the pin.

1. Go to specific pin page on Pinterest.

2. Add

/edit

to the end of the pin url.

3. Hit enter.

4. Delete the pin just like you would any other pin.

5. Confirm you want to delete.

Thanks to Mariam Shahab for sharing the basis of these tips.