In response to BattleFuzz.
Then shut the hell up and read my post and keep quiet until you have something useful to say
11:36 PM - Feb 08, 2024
In response to Anton Brakhage.
FWIW here's how he described a much more serious & devastating breach: https://www.troyhunt.com/w...
But his Spoutible headline is still apt: it's not just that there was a big data leak, but that a public API was exposing it. That's a rare & strange situation
But his Spoutible headline is still apt: it's not just that there was a big data leak, but that a public API was exposing it. That's a rare & strange situation
01:11 PM - Feb 07, 2024
In response to Salma Typhii.
Bouzy thinks differently, and I agree with him. There is no need for a well-intentioned researcher to mass scrape a vulnerable API — nevermind collect all the data into a file that can be sent around — to prove that an API is vulnerable.
02:28 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
Sure, that's why you didn't know what the breach contained or that it got a massive fine. Have a good day!
02:12 PM - Feb 06, 2024
In response to Karen B.
Also, when Hive Social, also a post-Twitter social network, had a similarly major breach, it got plenty of tech site coverage. The attention Spoutible is getting is not a radical outlier
02:06 PM - Feb 06, 2024
In response to Karen B.
HHS has a site where companies are required to report health data breaches:
https://ocrportal.hhs.gov/...
I don't know the deal with your specific provider, but googling the Kern breach (just 700 ppl) yields articles. It's not just social media sites that make the news
https://ocrportal.hhs.gov/...
I don't know the deal with your specific provider, but googling the Kern breach (just 700 ppl) yields articles. It's not just social media sites that make the news
02:03 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
If someone were able to silently log into anyone's FB account, the damage would be catastrophic, but that's not what FB's leak enabled. Also FB was fined $276 million so not sure why you think it was an incident that everyone just ignored.
01:54 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
Personally I haven't used DMs here and try to not use them on any other site, but I understand that's not how other people use social media. If you don't think having other ppl secretly log into your account is a problem, then why not disable your 2fa and post your password? What could the harm be?
01:28 PM - Feb 06, 2024
In response to Christopher Bouzy.
Thanks for the clarification/additional context. I know it takes time to analyze the logs for past suspicious activity and not to expect the investigation to have all the answers within 24hrs or even a week.
01:08 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
"what is the worst thing that could happen with a hacked Spoutible account"
Pretty easy question that you can generalize: What is the worst thing that could happen if an attacker were able to log into your account without you knowing? I think for most people, it'd be the ability to read your DMs
Pretty easy question that you can generalize: What is the worst thing that could happen if an attacker were able to log into your account without you knowing? I think for most people, it'd be the ability to read your DMs
01:05 PM - Feb 06, 2024
In response to Dan Nguyen.
"Did you get this worked up about the leaks/scrapes in this article?"
I mean, yes? But none of those leaks exposed password reset tokens. It's one thing to have to change your password, it's another to leak data that allows an attacker to silently access ANY account.
Again, from Hunt:
I mean, yes? But none of those leaks exposed password reset tokens. It's one thing to have to change your password, it's another to leak data that allows an attacker to silently access ANY account.
Again, from Hunt:
01:00 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
I wouldn't label myself a "security expert" but I've had a career in scraping publicly-facing corporate data for investigative projects, so I know the lingo and surrounding law.
In this context, the API *leaked* data. And someone "scraped" it, I'm not sure why this is a contentious point for you?
In this context, the API *leaked* data. And someone "scraped" it, I'm not sure why this is a contentious point for you?
12:55 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
Yes I read and understood it.
Did you stop reading there? Because in the very next section Hunt points out how an attacker didn't need to decrypt the passwords OR the 2FA token, because they could just plug in the password reset token and silently reset anyone's password
Did you stop reading there? Because in the very next section Hunt points out how an attacker didn't need to decrypt the passwords OR the 2FA token, because they could just plug in the password reset token and silently reset anyone's password
12:49 PM - Feb 06, 2024
In response to Sabine.
Yep that's a good step in the right direction, but what's also needed (and maybe it's included but wasn't mentioned in Bouzy's post for brevity) is for all potentially affected users to be logged out, which would guarantee kicking out attackers who had silently changed passwords for accounts
12:45 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
Sorry do you think "leak" and "scrape" are 2 different things? Yes, it was a "leak": the API was accidentally misconfigured to return more data than intended. And someone was able to repeatedly hit up the API (i.e. scrape it) for 207k user records.
12:42 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
The notifier sent Hunt "a file with 207k scraped records". You're right, it's possible someone did all that work (which would risk exposing them to criminal investigation) and told Troy about it, out of the goodness of their heart.
The more likely case is this person found the file, then told Hunt
The more likely case is this person found the file, then told Hunt
12:19 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
"Where did you get the data being sold on the dark web from that excerpt?"
To get 207k user records (i.e. the entire active userbase), you would have to scrape the API 207k times. This isn't hard, but it also isn't "white hat" behavior — hitting the API just ONCE would prove the vulnerability
To get 207k user records (i.e. the entire active userbase), you would have to scrape the API 207k times. This isn't hard, but it also isn't "white hat" behavior — hitting the API just ONCE would prove the vulnerability
12:14 PM - Feb 06, 2024
In response to Dan Nguyen.
...as Hunt pointed out, Spoutible doesn't currently have a way to force existing sessions to log out — i.e. when you changed your password, it didn't log you out of your current browser session. And it wouldn't log out an attacker who changed your p/w w/o you knowing the past couple of weeks
12:12 PM - Feb 06, 2024
In response to Isa-Lee Wolf.
The leaked passwords were encrypted. But most of the data fields in the API were not, including the token that is used for generating a p/w reset page: an attacker doesn't need to know your password when they can just reset it and login without you knowing.
The API and tokens were fixed, but...
The API and tokens were fixed, but...
12:10 PM - Feb 06, 2024
In response to Salma Typhii.
No, Spoutible was alerted by Troy Hunt on the afternoon of Feb. 4 and notified users several hours later. Kudos to the fast response. However we don't know for sure when the records were first collected and put up for sale.
12:07 PM - Feb 06, 2024
In response to Salma Typhii.
I don’t think that’s the case. Someone contacted Troy Hunt alerting him to the existence of the file of 207k records. It’s likely they saw the data being sold on the black market and told Hunt about it. Why would a white hat researcher scrape all 200k records before notifying security experts?
11:55 AM - Feb 06, 2024
In response to Isa-Lee Wolf.
The API leaked everyone’s password reset tokens — allowing an attacker to silently change the password (since Spoutible doesn’t send an email about the change) and log into any account. If we’re lucky, no one was compromised but it’s too early to tell
11:51 AM - Feb 06, 2024
In response to Joe Rybicki.
I don't have 2fa enabled but I experienced the same password issue that you did, i.e. changing the password didn't force my active logged-in sessions to log out. Which is majorly problematic as Troy pointed out in his writeup:
06:16 PM - Feb 05, 2024
In response to Christopher Bouzy.
I was able to change my password, but I noticed Spoutible doesn't send an email notifying the user of the p/w change. Nor does it expire active sessions (i.e. on my other laptop where I had been logged in, the p/w change didn't log me out)
Is there a plan to invalidate sessions just to be sure?
Is there a plan to invalidate sessions just to be sure?
06:06 PM - Feb 05, 2024
In response to Denise in Texas.
are you under the impression that @theonion has been reluctant to comment on Sen. McConnell?
11:32 AM - Sep 08, 2023
In response to Christopher Bouzy.
It makes sense how Detectify’s automated form filler would create a bot account with the name + username of “Detectify”, but I’m a little confused how the account has a location of U.S. and bio text (“We drive the future of internet security…”)
Shouldn’t those fields be “Sweden” and “Detectify”?
Shouldn’t those fields be “Sweden” and “Detectify”?
06:21 PM - Jun 17, 2023
In response to Dan Nguyen.
There's no full-time staff/developers at Spoutible, or has that changed since this was reported?
10:28 AM - Jun 07, 2023
