Social media management software company Buffer is investigating a bug in its login system that allowed a small number of users to access accounts that did not belong to them.
Buffer’s login system used access tokens to provide private and safe access to the platform. However, the bug caused some accounts to be issued with the same access token, which would direct one of the two users affected to the wrong account when logged in.
According to an email allegedly sent out by Buffer yesterday, the issued affected just 467 of the platform’s 7.8 million users, all of which have been reached out to separately to inform them of the issue.
The email insists that no personal information such as passwords or credit card details were compromised as a result of the bug. However, it is possible to view the account owner’s email address, connected social media profiles and the IP addresses previously used to access the account through the settings pages once logged in.
The issue, which was seemingly discovered by a Buffer user, was identified on Friday and resolved over the weekend. A “more secure” system has been put in place to grant access tokens, and all accounts have been upgraded to this new system as a precaution.
Buffer login system bug: Has GDPR been breached?
According to the United Kingdom’s Information Commissioner’s Office, under GDPR law, a data breach doesn’t have to involve malicious actors forcefully gaining unauthorised access to personal data.
A data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
“There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed”.
The Buffer login system bug seemingly fits the definition of a data breach under GDPR. While the data that was accessible may not have been particularly sensitive, the European Commission states that email addresses and IP addresses are both examples of personal data.
“It could be argued that this flaw in access tokens broke data protection rules, but you would have to prove that personally identifiable information was compromised,” Jake Moore, a cybersecurity specialist for IT security company ESET, told Verdict.
The ICO states that enterprises only need to alert data regulators if they believe that the breach puts the rights and freedoms of those affected at risk. If Buffer doesn’t believe there is a risk, and it is able to support its belief, it does not need to inform regulators.
Organisations have 72 hours to contact authorities if they believe a personal data breach has occurred. The organisation must also alert the individuals impacted “without undue delay”, as Buffer has done.
The State of Technology This Week
Moore believes that, in cases like this, where it is unclear whether a data breach has occurred, organisations should turn to authorities like the ICO who will be able to offer advice on the best steps to take:
“To be on the safe side, the ICO are there to gain advice from as well as report data mishaps. Furthermore, the ICO isn’t always keen to dish out fines at the first instance or breach, if they don’t view it as proportionate.”
A Buffer spokesperson confirmed to Verdict that a bug was identified in its login system, and that it is working to notify all appropriate regulatory authorities where required:
“I can confirm that we identified a bug with our login system that made it possible in very rare cases for two accounts to share one access token. We have determined that fewer than .01% of our users may have been affected by this bug.
“We immediately took steps to revoke those tokens, issue new more secure tokens, and provide the notice to the affected users. We have fully resolved this bug. We also provided information to users who were not affected, and we have notified or are working to notify appropriate regulatory officials where required.”