Users of Twitter/X alternative service Spoutible claim the company removed their posts after they asked Spoutible CEO Christopher Bouzy to be more honest about the nature of recent security issues. The company denies the claims, but it's the latest bizarre development in a string of security incidents at the startup over the past week.
Last week, Bouzy admitted that his startup, which he envisions as a more inclusive and kind Twitter, had a security vulnerability that exposed users' emails and phone numbers. But Troy Hunt, a security researcher and creator of Have I Been Pwned, a website that lets you see if your data has been compromised in a data breach, says Spoutible's developer API is We discovered that they also publish information that can be used and retrieved by others. Attacks users' accounts without their knowledge.
Hunt detailed his findings regarding the more serious charges on his website, noting that the Spoutible API can be reused to reset 2FA secrets and users, in addition to bcrypt hashes of other users' passwords. I pointed out that it returned data that included a token. password.
So, as The Verge reported at the time, the vulnerability was highly exploitable and could allow a malicious attacker to take over a user's account without their knowledge. Hunt was alerted to the issue by a third party who claimed to have collected data from Spoutible's services. As Have I Been Pwned account Confirmed with XSpoutible had collected 207,000 user records containing “name, email, username, phone number, gender, bcrypt password hash, 2FA secret, and password reset token” from a misconfigured API.
As of June of last year, Spoutible had 240,000 registered users, so the breach affected a significant portion of the small social network's user base.
The security researcher explained that this vulnerability could have been exploited by malicious parties to obtain hashed versions of users' passwords. Although the password was protected by bcrypt, a shorter password could have made it easier to guess and crack. Additionally, Hunt noted that account holders will not receive email notifications regarding password changes, so they will not know if their account is no longer under their control.
This sort of thing would have been a problem for any startup, but especially when the user base is full of early adopters who might simply try Spoutible for a while and then move on to another Twitter alternative. The account remains fully prepared. to take.
Spoutible CEO Christopher Bouzy acknowledged the data breach and vulnerability, and after addressing the issue, the company asked users to create new, stronger passwords. But he also called the discovery of the vulnerability an “attack” on his own network, claiming that the person who scraped the data was someone who intended to damage Spoutible's reputation.
In his post, Busey referenced the notifier who sent the scraped records to Hunt and said, “We are confident that the person involved is the mastermind who has been attacking Spoutible for a year.”
In an email with TechCrunch, Bouzy further explained his idea, saying that an online group known asi doubt it' was behind the attack. Doubtible runs his Twitter/X account, where he “tweets falsehoods about Spoutible, me, and prominent members of our community every day,” Busey said. “We strongly believe that this group is behind the fraudulent collection of our data” – Busey reiterated this accusation in his response to the Trustpilot review and alerted the FBI to the matter. He also suggested that.
“Someone doesn't need to scrape 207,000+ records to uncover vulnerabilities,” Bouzy continued. “But including the data also makes it much more newsworthy. If someone were to try to expose a vulnerability to damage a company's reputation, Mr. Hunt would be the ideal point of contact. They The reasoning behind their choice is clear: Mr. Hunt's tweets, blog posts, and follow-up videos are completely consistent with their intentions. The way Mr. Hunt sensationalized and portrayed this incident is It was what they wanted,” he added conspiratorially.
Bouzy said a security vulnerability was created when someone on his team used a function intended for the user API in conjunction with a function designed for the public API, which exposed encrypted emails and phone numbers in clear text. It claims that. He said Spoutible is partnering with a security firm to further review its systems in light of the incident.
Still, several people have since accused Busey of trying to downplay the severity of the vulnerability, including data journalist Dan Nguyen, who recently told users to This includes someone who reshared a post on Bluesky by tech entrepreneur Anil Dash warning, “Don't do it.” Another Bluesky user vividly described Spoutible's dumping of user data as similar to “Montezuma's Revenge.”
The data breach is already bad PR for the startup, but it raises questions about whether the company is silencing its critics.
One Spoutible user, Mike Natale, publicly accused the CEO of deleting a post on the social networking site in which he called on Bouzy to be more transparent.
“Busie… deleted all my posts and wiped down the walls,” Natale wrote in response to another Bluesky user.
Image credits: Mike Natale talks about Blue Sky (Opens in new window)
In a separate response, Natale said Busey had originally reposted his post on Spoutible to comment on the incident, but there were “theories that this was an attack” and “other companies have been attacked.” The company explained that it had deleted all of Natale's posts in response to “claims that he had done so.” Same flaws. ”
Missing posts do not include the usual tags that indicate deletion. In Spoutible, deleted posts have a system note attached that says “@user deleted this reply.” For example, if Bouzy deleted a reply, you'd see “@bouzy deleted this reply.”
But in this case, Natale said in a comment to Bluesky that the post just disappeared and Spoutible's main feed also wouldn't load.
Twitter/X account Doughtible also posted about Natale's claims. Natale did not respond to requests for comment.
Meanwhile, Spoutible CEO Christopher Boosie denied deleting Natale's post.
“Regarding the issue of user Natale, we did not remove their posts or accounts. Users may remove their own content and subsequently falsely accuse us,” he said, hinted at a conspiracy again. He concluded that “this allegation is baseless and not worth further discussion.”
The incident with Spoutible is reminiscent of another small company that suffered serious security issues after being inundated with Twitter users shortly after Elon Musk's acquisition. In that case, the startup shut down the app completely to fix the critical flaw and then returned it to the app store. Hive managed to weather the storm and eventually returned, but the missed opportunity meant that it was no longer seen as a threat to Twitter.
It remains to be seen whether Spoutible's reputation will ever recover from this stain.