White hat hackers have flooded VKontakte (VK) with spam on Valentine's Day as part of a revenge prank against the Russian social network after the company failed to both fix and financially reward a security researcher for a vulnerability he reported to the site a year before.

The incident happened last week, on Valentine's Day, February 14, and was contained within hours after it started, the VKontakte team said in a VK wall post.

At the heart of the spam campaign was a worm created by Baghosi, a community for Russia-based social media app developers.

To power their worm, Baghosi devs used a vulnerability impacting VK that was discovered by one of its members, and reported to the social network a year before.

Baghosi said VK failed to acknowledge the bug report, and also failed to fix the issue, let alone pay the security researcher for his bug hunting efforts.

The actual worm resided in a script hidden inside an article's source code. When anyone accessed the malicious page to read the article, the hidden worm would post a link to the article on the VK groups and pages the reader was managing.

The worm also pulled random reviews from the VK app's Apple App Store and Google Play Store pages.

The Baghosi team unleashed the worm on VK on Valentine's day, and the article spread like wildfire, with thousands of re-posts within minutes.

Лучшее про взлом ВКонтакте pic.twitter.com/0InivvLsp9 — Awesome Mike (@AwesooomeMike) February 14, 2019

по вконтакте ходит ссылка, при клике на которую во всех группах, которые вы админите появляется вот такой пост с рандомным комментом pic.twitter.com/XJpEZrGTnJ — анатолий ноготочки💅 (@A_Kapustin) February 14, 2019

Во «ВКонтакте» произошел массовый взлом сообществ. Они все постят одну и ту же запись



Напишите в поиске сообщений "всё менъше" увидите pic.twitter.com/4NWpATeFQV — Не Тв (@NeTVRussia) February 14, 2019

Во вконтакте массовый взлом? pic.twitter.com/62iu2PBrIl — a little wicked 🔥 (@foolinanutshell) February 14, 2019

The Baghosi team came clean about what they did in a VK post. The VK team initially banned the Baghosi VK page, but later reversed the ban when it became clear the spam flood was just a joke, and no user data was stolen or collected during the attack.

VKontakte did not respond to an email inquiry seeking additional details about last week's event. The company usually handles vulnerability reports via its bug bounty program on HackerOne.

ZDNet would like to thank our user Miriama for her help with this report.

Related security coverage: