Users on Twitter/X alternatives spout claims the company removed their post after urging Spoutible CEO Christopher Bouzy to be more honest about the nature of its recent security issues. The company has denied the claims, the latest bizarre twist in the saga of security incidents that have unfolded over the past week at launch.
Last week, Bucci admitted Security vulnerability He said this exposed the emails and phone numbers of users of his startup, which is targeting A more inclusive, kinder TwitterHowever, security researcher Troy Hunt, Have I been cheated? The website, which allows people to check whether their data was compromised in the breach, found that Spoutible’s developer API also exposed information that bad actors could use to take over user accounts without their knowledge.
hunt His findings into this more serious allegation are detailed on his websitenote that the data returned by the Spoutible API includes the bcrypt hash of any other user’s password, as well as the 2FA (two-factor) secret and token that can be reused to reset the user’s password.
In short, this vulnerability is highly exploitable and could allow a bad actor to take over a user’s account without their knowledge, e.g. The Verge reported at the time. Hunt has been alerted by a third party who claimed they had scraped material from Spoutible’s service. As Have I Been Pwned’s Account X ConfirmSpoutible removed 207,000 user records from its misconfigured API, including “name, email, username, phone, gender, bcrypt password hashes, 2FA secrets, and password reset tokens.”
As of June last year, Spoutible has 240,000 registered users As such, the breach affected a large portion of the smaller social network’s user base.
Security researchers explained that the flaw could have been exploited by bad actors who were able to obtain hashed versions of user passwords. Although passwords are protected with bcrypt, shorter passwords may be easier to guess and crack. Hunter noted that no email notifications are sent to account holders about password changes, so they never know if their account is no longer under their control.
This sort of thing is a problem for any new startup, especially one whose user base is filled with early adopters who might just try Spoutible for a while before moving on to another Twitter alternative, leaving it semi-abandoned The account is mature. take.
Spoutible CEO Christopher Bouzy confirmed the data breach and vulnerability, and the company asked users to create new, stronger passwords, back Solve the problemHowever, he also called the discovery of the vulnerability an “attack” on his network and claimed that the scrapers intended to damage Spoutible’s reputation.
“We…are convinced that the person involved is the ringleader who has been attacking Spoutible for a year,” Bouzy said in the postrefers to the notifier who sends the captured records to Hunt.
In an email to TechCrunch, Bouzy further elaborated on his thoughts, claiming that the online group is calledsuspicious“,” it emerged early last year that it was the man behind the attack. Doubtible operates a Twitter/X account who “tweets false information every day about Spoutible, me and prominent members of our community,” Bouzy said. “We firmly believe that this group is behind the unauthorized scraping of our data” – an allegation Bouzy repeated in response In a comment on Trustpilot, he also said he was alerting the FBI to the matter.
“Someone didn’t need to crawl over 207,000 records to reveal a vulnerability,” Bouzy continued. “However, by including the data, it significantly increases the news value. If someone were trying to damage the company’s reputation by exposing a vulnerability, Mr. Hunter would indeed be their ideal contact. The reason for their choice is clear: Mr. Hunter’s recommendation The article, blog post and subsequent video did exactly what they intended. The way Mr. Hunter hyped and described the incident was exactly what they wanted it to be,” he added conspiratorially.
Bouzy claimed that the security breach occurred because someone on his team used a function designed for the user settings API and a function designed for the public API, which is why the encrypted email and phone number were exposed in clear text. He said Spoutible has now worked with a security firm to further review its systems in light of the incident.
Still, some have since accused Bouzy of trying to downplay the severity of the vulnerability, including Data journalist Dan Nguyenrecently forwarded Tech Entrepreneur Anil Dash’s post on Bluesky Warn users to “stop talking nonsense”. Another Bluesky user colorfully mentioned Spoutible’s behavior of dumping user data is similar to “Montezuma’s Revenge.”
While a data breach is already bad PR for a startup, questions are now being raised about whether the company is silencing critics.
Mike Natale, a Spoutible user, publicly stated Accusing the CEO of deleting his posts On social media, he urged Bouzy to be more transparent.
“Boozy… deleted all my posts and wiped my wall,” Natale wrote in response to another Bluesky user.
In another reply, Natale explains Bouzy initially retweeted his post on Spoutible to comment on the incident, but later deleted all of Natale’s posts while refuting the claim that this was an attack and that “other companies have the same flaw.”
The missing posts did not contain the usual tags indicating their removal. On Spoutible, deleted posts will have a system comment attached that reads “@user deleted this response.” For example, if Bouzy deleted the reply, it would read “@bouzy deleted this response.” “
But in this case, Natale said in the comments of Bluesky, the post disappeared and his main Spoutible feed wouldn’t even load.
Twitter/X account Doubtible also posted about Natale’s claims. Natale has not responded to a request for comment.
Meanwhile, Spoutible CEO Christopher Bouzy denied deleting Natale’s post.
“Regarding user Natale’s issue, we did not delete their posts or account. It is possible that users deleted their own content and then falsely accused us,” he said, again suggesting there was a conspiracy. “This accusation is baseless and does not merit further discussion,” he concluded.
Spoutible’s incident is reminiscent of another smaller company, Hive, which was flooded with Twitter users shortly after being acquired by Elon Musk and also experienced major security issues. The startup shut down its app entirely Fix critical defects before returning to the App Store. Hive managed to weather the storm and eventually returned, but was no longer considered a threat to Twitter after losing its chance.
Whether Spoutible’s reputation can recover from this stain remains to be seen.