it seems that OneSignal has been Hacked! In the last hours, many WordPress users plained that the famous Web Push Notifications plugin OneSignal started spamming everyone with adult sites.
OneSignal is an important WordPress plugin that increases user engagement. This tool sends visitors targeted push notifications so they keep coming back.
But according to many users and site owners, it started sending notification from adult sites, which Irritated users and site owners.
one angry user wrote: “I was using this plugin until about 3 weeks ago it all of the sudden started spamming everyone with adult sites. Too bad, now I need to tell everyone how to get the push notifications off of their computer!”
and OneSignal Author replied:
“We’re so sorry to hear this happened to you. I want to assure you that we take the security of our plugin very seriously, and we would never want a customer’s account to be compromised.
It’s likely that the hacker was somehow able to guess your wordpress or OneSignal password. You can also check your email here to see if your password has ever been leaked anywhere: https://haveibeenpwned.com/
We also recommend immediately changing your OneSignal and wordpress plugin, as well as resetting your OneSignal API key by following the instructions here: https://documentation.onesignal.com/docs/accounts-and-keys#section-resetting-your-rest-api-key
Another possibility is that somehow your OneSignal REST API key was shared online. We’ve seen this happen if customers accidentally uploaded sensitive data to github or another public place.
If there’s anything at all we can do to help, please don’t hesitate to contact our support team. While we don’t think this was a problem with OneSignal itself, we want to do whatever we can to make things right.”
but another user assured that the problem is not about website security and OneSignal has been hacked, he said that: “same thing happen with my account.
I changed the password and reset the API KEY and reinstalled server. but same thing happen:
someone is sending adult notifications to all my apps. there are 2 possible options:
Onesignal get hacked or Onesignal is sending those notifications without our permission”
Did you face this problem with your site?