Advertisement: Click here to learn how to Generate Art From Text
Twitter/X Alternative: A user’s view SpoutibleSpoutible CEO Christopher Bouzy was allegedly pressed to be more honest by the users after the company removed their posts. The company denies the claims. This is the latest bizarre twist to the security incident saga that has been unfolding at the startup over the last week.
Bouzy acknowledged last week that a Security vulnerability that he said had exposed users’ emails and phone numbers at his startup, positioned as a Twitter: more inclusive, kinder. Security researcher Troy Hunt is the creator of theHave I Been Pwned website, which allows people to check to see if their data was compromised in a data breach, found that Spoutible’s developer API was also exposing information that bad actors could have used to take over users’ accounts without them knowing.
Hunt On his website, he detailed his findings on that far more serious charge, noting that the Spoutible API returned data including the bcrypt hash of any other user’s password, plus 2FA (two-factor) secrets and the token that could be reused to reset a user’s password.
In short, this vulnerability was highly exploitable and could have allowed a bad actor to take over a user’s account without them knowing, as The Verge reported the story at the time. Hunt had been alerted to this issue by a third party who claimed they had scraped data from Spoutible’s service. As Have I Been Pwned’s account Confirmed on X, Spoutible had 207,000 user records scraped from its misconfigured API including “name, email, username, phone, gender, bcrypt password hash, 2FA secret and password reset token.”
As of June last year, Spoutible has 240,000 registered users so the breach impacted a good chunk of the smaller social network’s user base.
The security researcher explained that the vulnerability could have been exploited by bad actors, who would have been able to obtain a hashed version of users’ passwords. Even though the passwords had been protected by bcrypt encryption, shorter passwords would have been easier to guess. Hunt pointed out that the account holder would not receive an email notification about the password change. This would mean they would never have known if the account was no longer in their control.
This type of thing would have caused problems for any startup. However, it is especially true for those with a large number of early adopters. They may have only tried Spoutible once before moving to another Twitter alternative.
Spoutible CEO Christopher Bouzy has confirmed the data breach vulnerability and required users to create new, stronger passwords, after Addressing the issue. However, he also referred to the vulnerability’s discovery as “an attack” on his network and alleged that the person who scraped the data was someone who was intent on hurting Spoutible’s reputation.
“We are…confident the person involved is the ringleader who has been attacking Spoutible for a year,” Bouzy said on a post, referring the notifier who sent Hunt scraped records.
In an email with TechCrunch, Bouzy laid out his ideas further, alleging that the online group known as “Doubtful,” which had emerged early last year, was behind the attack. Doubtible runs a Twitter/X account where they have”tweeted falsehoods about Spoutible, me, and prominent members of our community daily,” Bouzy said. “We firmly believe that this group is behind the unauthorized scraping of our data” — an accusation Bouzy is repeated in responseIn a Trustpilot review, he suggested that he was also alerting the FBI on the matter.
“Someone doesn’t have to scrape 207k+ records to reveal a vulnerability, Bouzy continued. “However, by also including data, it makes it significantly more newsworthy. Should someone aim to expose a vulnerability to tarnish a company’s reputation, Mr. Hunt would indeed be their ideal contact. The reason behind their choice is clear: Mr. Hunt’s tweets, blog post, and follow-up video perfectly align with their intentions. The manner in which Mr Hunt sensationalized and portrayed the incident is exactly what they were hoping for,” he added, conspiratorily.
Bouzy claims that this security vulnerability occurred because someone in his team accidentally used a feature designed for the public API to replace a feature intended for the settings API. This is how encrypted emails and phone number were exposed as plain text. Spoutible, he said, has partnered with a firm of security experts to review its systems in light this incident.
Bouzy has been accused by several people of trying to minimize the severity of this vulnerability. data journalist Dan NguyenRecently, re-shared by tech entrepreneur Anil Dash’s post on Bluesky warning users to “get off spoutible.” Another Bluesky user colourfully referred to Spoutible’s dumping of user data as akin to “Montezuma’s Revenge.”
A data breach is bad PR for any startup. But now, questions are being asked about whether the company is attempting to silence its critics.
Mike Natale is a Spoutible user who has publicly revealed his identity. The CEO deleted the posts of one of his employeesBouzy was pushed to be more transparent on the social networking site where Bouzy had been urged by Bouzy.
“Bouzy…deleted all my posts and wiped my wall,” wrote Natale, in response to another Bluesky user.
Another reply Natale explained that Bouzy had initially reposted his posts on Spoutible to comment on the matter, but then deleted all of Natale’s posts when he pushed back against “the narrative that this was an attack” and “that other companies have had the same flaws.”
The missing posts don’t include the usual tag indicating their deletion. On Spoutible, posts that are removed have a system note attached reading “@user deleted this reply.” For instance, if Bouzy had deleted the reply, it would have read “@bouzy deleted this reply.”
But in this case, Natale said in comments on Bluesky that posts are just gone and his Spoutible main feed doesn’t even load.
The Twitter/X account Doubtible also posted about Natale’s claims. Natale did not respond to requests for comments.
Meanwhile, Spoutible CEO Christopher Bouzy denies deleting Natale’s posts.
“Regarding the issue with user Natale, we did not delete their posts or account. It’s possible for users to remove their own content and then falsely accuse us,” he said, again suggesting a conspiracy. “The allegation is baseless and does not merit further discussion,” he concluded.
The incident at Spoutible brings to mind another smaller company, Hive, which also experienced a major security issue after being flooded with Twitter users shortly after Elon Musk’s acquisition. In this case, The startup has completely shut down its appFix the critical flaws and then return to the app store. Hive has managed to survive the storm and return to the app store, but it is no threat to Twitter anymore after its missed opportunity.
Whether Spoutible’s reputation will recover from this stain also remains to be seen.