“Omg this is so cool!” Pinterest hack feeds spam to Twitter and Facebook

Users of the social, image-sharing network Pinterest are complaining about widespread account takeovers that have spilled image spam onto adjoining social networks like Twitter and Facebook.

Though notice of the scam has picked up in the last day, there’s evidence that the spam runs have been going on for more than a week, with spammers posting images promoting work-at-home schemes.

The images were accompanied by messages such as “Omg this is so cool! Can’t wait for more!” and “Omg this is so exciting! Too excited for next ones!” The messages were accompanied by links back to the spam images on compromised Pinterest accounts.

As of Wednesday, Pinterest had removed many of the offending images, though some could still be viewed.

Users who had linked their Pinterest account to adjacent social networks like Facebook and Twitter found that the spammers quickly took advantage of that access, blasting out tweets and wall posts linking to the spammy images.

One, viewed by Naked Security, was advertising a work-at-home scheme that pays people to fill out online surveys.

“Someone hacked my Pinterest account. WHY?” lamented the Twitter user @Peterkin. Others posted messages apologizing to Twitter followers and promising to change their Twitter account password.

While it’s not clear how the compromises happened, they were likely the result of cross-site scripting or drive-by download attacks on the users’ web browsers.

Pinterest, based in San Francisco, California, is a popular and fast-growing social network that allows users to share photos and other images online. It has 20 million users and, in May, landed a $100 million investment from Japanese e-commerce firm Rakuten, valuing the startup at $1.5 billion.

Spamming is explicitly forbidden by Pinterest’s terms of use, but that hasn’t stopped aspiring spammers from latching onto the click-happy medium.

As Naked Security reported in March, successful spammers have made good money by leveraging the network to blast out ads for things like Acai Berry diet products.

Those scams have raised questions about whether the fast-growing network is doing enough to stop spammers from using its network as a launching pad.

Pinterest advises customers who have had their account taken over to change their password immediately and warns that “misleading third party apps” and “web browser extensions” often play a part in account takeover incidents.

The site also advises users to have a unique password for each social networking site – though it doesn’t say anything about refraining from linking your Pinterest account to other social networking services.

_{ATM and PIN machines images courtesy of ShutterStock.}