Pinterest Users Getting Hacked For Second Time In Two Weeks

An undetermined number of Pinterest accounts are being hacked for the second time in as many weeks. This most recent incursion appears to be ongoing with account breaches still continuing at the time that this article was published. The new breach is nearly identical to the one that happened on June 4 where an untold number of Pinterest accounts were compromised with unauthorized "Pins" (Pinterest vernacular for "post").  The latest breach has so far produced a similar flood of over 900 equally unauthorized posts to Twitter. As revealed in ProgrammableWeb's exclusive investigation of Pinterest's June 4th breach, the posts to Twitter relied on a fake weight-loss promotion that's designed to lure unsuspecting followers into a malware trap. That trap attempts to obtain additional personal information and login credentials.

In contrast to defacto best practices for Internet breaches involving the personal accounts of end-users, Pinterest has so far disclosed very little detail regarding the June 4 incursion and it remains to be seen if this second successful attack within 11 days of the previous one will force the company to pursue a policy of more proactive transparency. A great many questions remain including how exactly the accounts were breached in the first place and what steps Pinterest is taking to lock the problem down.  Based on what ProgrammableWeb has learned from impacted users, it appears as though the hackers are programmatically enabling Pins to echo themselves to Twitter even if the option to do so was initially unchecked in the Pinterest User Interface.  What isn't clear -- again due to the lack of disclosure so far -- is whether the programmatic breach involves Pinterest's API or if hackers have successfully developed some sort of Web-scraping routine. 

Responding this past Friday via email to ProgrammableWeb's initial investigation into the matter, Pinterest spokesperson Malorie Lucich said "We don't have any evidence of a database breach. We saw a small number of compromised accounts, which we quickly placed in safe mode and worked toward helping the Pinners recover. We're constantly working on ways to prevent further issues through reactive and proactive steps, as well as educating users on the importance of using complex and unique passwords."  According to Pinterest's Web site, "safe mode prevents any changes to your account until you reset your password." While it's not 100 percent certain, Lucich's statement could suggest that non-unique passwords --- passwords that end-users re-use across multiple Internet services --- could be one of the sources of the problem.  While the number of affected users continues to climb, Pinterest has so far not clarified what it considers to be "a small number of compromised accounts."

In its ongoing investigation of the June 4 breach, some of the impacted Pinterest users admitted to ProgrammableWeb that their Pinterest password is the same as for their accounts on other services such as Twitter.  Such password re-use is rearing its ugly head as a key vulnerability in Internet security; one that the providers of many popular services have yet to collectively address with a standard approach. One reason is that there are very few workable solutions to the problem.  As users rely more and more on Internet-based services, the more they are also forced to re-use passwords because of how impossible it is to remember a unique password for every service they use. Password re-use was a key vulnerability in an attack on Buffer last October. That attack resulted in a compromise to tens of thousands of Buffer accounts that, like these last two breaches of Pinterest users' accounts, used a fake weight loss scheme to draw the attention of followers and friends on Twitter and Facebook. 

One potential solution involves what to many will appear as a preferred single sign-on to the Internet. In this scheme, end-users maintain one user ID and one password with a trusted authority like Google, Facebook, or Twitter that's supported by every other service on the Internet to which those users would normally login.  Whereas the user logs in once to the central service, that service interacts with the other secondary services using a token-based architecture such as OAuth to authenticate the end-user (or, in many cases, an application working on behalf of the end-user).  Many users of various Internet services rely on this approach today ---where they login to a Web site using their Twitter or Facebook IDs.  

Unfortunately, as proven in the attack on Buffer, token-based schemes are not infallible. In certain cases, if the tokens fall into the wrong hands, they can be used like fake IDs to gain unauthorized access to certain sites. To address that problem, companies like Google offer solutions that involve a second factor of Authentication. For example, users of Github can configure their accounts to use Google's Authenticator with the Two-Factor Authentication option enabled.  That second factor in this case is the Google account owner's cell phone which, upon an attempt to login to Github or other supporting Web site, receives a one-time code via SMS text that must be entered as a part of the login process in order to complete the login. However, such capabilities are far from ubiquitous. Google is somewhat alone in offering a two factor-based centralized login service and it isn't often the first social network login choice for either sites that support social network logins or the users that rely on them.

Meanhwile, in the case of Pinterest, it still remains to be seen what the company's long-term solution to its ongoing breaches will be and it's impossible to speculate what the company might do since it has been so tight-lipped about the actual problem (see the update below).  The company claims that its databases remain secure but has fallen short of offering more specifics about how its users accounts continue to get hacked. According to Lucich, Pinterest recently announced a bug bounty program in May as part of the company's steps toward creating a more secure environment for Pinners. However, given the dearth of details regarding this latest round of attacks, the connection between that bounty program and Pinterest's ability to reign-in the securithy of its users' accounts isn't clear.

ProgrammableWeb will continue to report on the breach as more information comes to light.

Update (June 17th, 2014): Late last night, Pinterest spokesperson Malorie Lucich contacted ProgrammableWeb with the following statement "We were alerted to some instances of spam and responded by immediately placing impacted accounts in safe mode, and reaching out to Pinners as we solved the issue."  In response to ProgrammableWeb's inquiry regarding how many accounts were impacted, Lucich wrote "We don't have specifics to share on the number of impacted accounts."

Be sure to read the next Security article: Today in APIs: Cognitive Networks Lands Patent for Smart Client Technology