Buffer is handling this exceptionally well; I'm impressed and it isn't easy. We've caught bugs that lead to this sort of exploitation in the past, so if anyone from Buffer is reading this: we're happy to help you out and offer a few free months of website security scanning while you figure out exactly what happened. Just email me at borski@tinfoilsecurity.com