A user of the Twitter/X alternative Pouring spout claims the company removed his posts after pushing Spoutible CEO Christopher Bouzy to be more honest about the nature of its recent security issue. The claims, which the company denies, are the latest bizarre twist in the saga of security incidents that have taken place over the past week at the startup.
Last week, Bouzy recognized a security vulnerability who he claimed had exposed the email addresses and phone numbers of users of his startup, positioned as a Twitter more inclusive and kinder. However, security researcher Troy Hunt, creator of the Have I been pwned The website, which allows users to check if their data has been compromised in a data breach, discovered that Spoutible's developer's API also exposed information that malicious actors could have used to take control of user accounts without their knowledge.
Hunting detailed its findings on this much more serious accusation on its websitenoting that the Spoutible API returned data including the bcrypt hash of any other user's password, as well as 2FA (two-factor) secrets and the token that could be reused to reset a user's password user.
In short, this vulnerability was highly exploitable and could have allowed a bad actor to take over a user's account without their knowledge, such as The Verge reported at the time. Hunt was alerted to this problem by a third party who claimed to have retrieved data from Spoutible's service. As Have I Been Pwned's account confirmed onSpoutible removed 207,000 user records from its misconfigured API, including “name, email, username, phone, gender, bcrypt password hash, 2FA secret and password reset token.”
Since last June, Spoutible had 240,000 registered users the violation therefore affected a good part of the user base of the smaller social network.
The security researcher explained that the vulnerability could have been exploited by bad actors, who could have obtained a hashed version of users' passwords. Although the passwords were protected via bcrypt, shorter passwords might have been easier to guess and crack. Additionally, no email notification would be sent to the account holder about the password change, so they would never know if their account was no longer under their control, Hunt noted.
This sort of thing would have been a problem for any startup, but especially if the user base is full of early adopters who may have just tried Spoutible for a while before moving on to another alternative. Twitter, leaving semi-abandoned accounts ripe for the taking.
Christopher Bouzy, CEO of Spoutible, confirmed the data breach and vulnerability and the company asked users to create new, stronger passwords, After address the problem. However, it also called the discovery of the vulnerability an “attack” on its network and alleged that the person who retrieved the data was someone who intended to damage Spoutible's reputation.
“We are… convinced that the person involved is the ringleader who has been attacking Spoutible for a year,” Bouzy said in a messagereferring to the notifier who sent Hunt the retrieved recordings.
In an email with TechCrunch, Bouzy laid out his ideas in more detail, alleging that the online group known as “Doubtful“, which emerged early last year, was behind the attack. Doubtible runs a Twitter/X account where they “tweet lies about Spoutible, me, and prominent members of our community on a daily basis,” Bouzy said. “We strongly believe that this group is behind the unauthorized scraping of our data” — an accusation Bouzy repeated in a response to a review on Trustpilot, where he also suggested he was alerting the FBI about the matter.
“Someone doesn't need to scrape more than 207,000 records to reveal a vulnerability,” Bouzy continued. “However, by also including data, it makes it much more newsworthy.” If someone is looking to reveal a vulnerability in order to tarnish a company's reputation, Mr. Hunt would indeed be the ideal contact. The reason for their choice is clear: Mr. Hunt's tweets, blog post and follow-up video perfectly match their intentions. The way Mr. Hunt sensationalized and described the incident is exactly what they were hoping for,” he added conspiratorially.
Bouzy claims the security breach occurred because a member of his team used a function intended for the User Settings API with a function designed for the public API, which is why the emails and numbers encrypted phone messages were exposed in plain text. He said Spoutible has now partnered with a security company to further review its systems, in light of this incident.
Yet several people have since accused Bouzy of trying to downplay the severity of the vulnerability, including data journalist Dan Nguyenwho recently reshared tech entrepreneur Post by Anil Dash on Bluesky warning users to “get off the spout”. Another Bluesky user colorfully referenced to Spoutible's dumping of user data, similar to “Montezuma's Revenge”.
Although a data breach is already bad communication for a startup, it is now questionable whether or not the company is silencing its critics.
A Spoutible user, Mike Natale, publicly accused the CEO of deleting his posts on the social network, where he had pushed Bouzy to be more transparent.
“Bouzy… deleted all my messages and erased my wall,” Natale wrote, in response to another Bluesky user.
In another answer, Natale explained that Bouzy had initially reposted his posts on Spoutible to comment on the topic, but then deleted all of Natale's posts when he objected “to the narrative that this was an attack” and “that others companies had the same faults.
Missing messages do not have the usual tag indicating they were deleted. On Spoutible, deleted posts are accompanied by a system note stating “@user deleted this reply.” For example, if Bouzy had deleted the reply, it would have read “@bouzy deleted this reply”.
But in this case, Natale said in comments on Bluesky that the posts simply disappeared and her main Spoutible feed wouldn't even load.
The Twitter/X account Doubable also published articles about Natale's claims. Natale did not respond to requests for comment.
Meanwhile, Christopher Bouzy, CEO of Spoutible, denies deleting Natale's posts.
“Regarding the issue with user Natale, we have not removed her posts or her account. It’s possible that users are deleting their own content and then falsely accusing us,” he said, again suggesting a conspiracy. “This allegation is baseless and does not merit further discussion,” he concluded.
The incident at Spoutible is reminiscent of another small company, Hive, which also experienced a major security issue after being flooded with Twitter users shortly after acquiring Elon Musk. In this case, the startup completely shut down its app to fix critical flaws before returning to the App Store. Hive managed to weather the storm and eventually come back, but is no longer seen as a threat to Twitter after its lost opportunity.
It also remains to be seen whether Spoutible's reputation will recover from this stain.