I have two new blog posts with details of the July hacking of Pinterest accounts.



Pinterest hack details

On Saturday morning Pinterest users began seeing pins show up on their boards without ever pinning them, and in this case it appears users did nothing wrong.

I observed a $1000 free Walmart card image show up around 8AM CST when looking at the feed of people I follow, but I didn’t think anything of it. This afternoon Craig Fifield blogged about his wife’s experience with the spam pins. By this evening hundreds of thousands of these pins were showing up on Pinterest. Each spam offer pin (Walmart, Bestbuy and Starbucks were the main ones) had tens of thousands of repins listed in connection with them.

These spam offer pins aren’t happening because a user clicks on any spam links; meaning it is highly likely that Pinterest itself or some process in their system has been hacked.

In writing up this post, I went to the @free Pinterest page. I didn’t see any of these spam pins, so I started writing up what I learned. Five minutes later my wife sent me an instant message indicating that the @free Pinterest account had sent out the Best Buy spam offer. I didn’t do anything except go to the Pinterest website. I was already logged into my account.

My initial thought this afternoon was that someone could be using a brute force attack to figure out passwords, but based on my own experience and the vast nature of the pins, it looks increasing likely that someone has hacked Pinterest and figure out how to pin to a large number of people’s boards. Even a Pinterest engineer has two spam offers on his board as I write this. Kelly Lieberman pointed this out on Facebook.

Some good sized brands like Lidnt Chocolate also are putting out these offers.

It is very possible that no passwords have been compromised, but rather someone is actually hacking Pinterest itself. With the quantity of these spam pins, it looks to be the work of some kind of bot. I reported over a month ago about an account that followed over one million Pinterest accounts in one day. This seems like a similar technological exploit, but with much greater implications.

In addition to the unauthorized posts, its seems that the hack makes the edit button disappear on some of the offending pins. Where the edit button should have been is just a blank space. I list below a way to resolve this issue with a quick work-around. But the removing of this button points to how sophisticated the hack is and how open the Pinterest system is to exploiting.

One of the offending accounts that seemed to the basis for the Best Buy gift card offer is now returning a 404 error, so hopefully Pinterest is addressing this issue.

Update 3/18: The hack occurring on St. Patrick’s Day likely allowed these pins to go unnoticed by the Pinterest team for longer than would have occurred on normal weekday. Starting last night around 10PM CST, Pinterest began deleting the offending pins. As of this morning, a review of multiple Pinterest streams indicated that the hack issue seems to be resolved.

If your account has been hacked, you can delete the pin.

1. Go to specific pin page on Pinterest.

2. Add

/edit

to the end of the pin url.

3. Hit enter.

4. Delete the pin just like you would any other pin.

5. Confirm you want to delete.

Thanks to Mariam Shahab for sharing the basis of these tips.