Users of the social, image-sharing network Pinterest are complaining about widespread account takeovers that have spilled image spam onto adjoining social networks like Twitter and Facebook.
Though notice of the scam has picked up in the last day, there’s evidence that the spam runs have been going on for more than a week, with spammers posting images promoting work-at-home schemes.
The images were accompanied by messages such as “Omg this is so cool! Can’t wait for more!” and “Omg this is so exciting! Too excited for next ones!” The messages were accompanied by links back to the spam images on compromised Pinterest accounts.
As of Wednesday, Pinterest had removed many of the offending images, though some could still be viewed.
Users who had linked their Pinterest account to adjacent social networks like Facebook and Twitter found that the spammers quickly took advantage of that access, blasting out tweets and wall posts linking to the spammy images.
One, viewed by Naked Security, was advertising a work-at-home scheme that pays people to fill out online surveys.
“Someone hacked my Pinterest account. WHY?” lamented the Twitter user @Peterkin. Others posted messages apologizing to Twitter followers and promising to change their Twitter account password.
While it’s not clear how the compromises happened, they were likely the result of cross-site scripting or drive-by download attacks on the users’ web browsers.
Pinterest, based in San Francisco, California, is a popular and fast-growing social network that allows users to share photos and other images online. It has 20 million users and, in May, landed a $100 million investment from Japanese e-commerce firm Rakuten, valuing the startup at $1.5 billion.
Those scams have raised questions about whether the fast-growing network is doing enough to stop spammers from using its network as a launching pad.
Pinterest advises customers who have had their account taken over to change their password immediately and warns that “misleading third party apps” and “web browser extensions” often play a part in account takeover incidents.
The site also advises users to have a unique password for each social networking site – though it doesn’t say anything about refraining from linking your Pinterest account to other social networking services.