A user on the Twitter/X alternative Spoutible claims the company deleted their posts after they pushed Spoutible CEO Christopher Bouzy to be more honest about the nature of its recent security issue. The claims, which the company denies, are the latest bizarre twist in the security incident saga taking place over the past week at the startup.
Last week, Bouzy acknowledged a security vulnerability that he said had exposed users’ emails and phone numbers at his startup, positioned as a more inclusive, kinder Twitter. However, security researcher Troy Hunt, creator of the Have I Been Pwned website, which allows people to check to see if their data was compromised in a data breach, found that Spoutible’s developer API was also exposing information that bad actors could have used to take over users’ accounts without them knowing.
Hunt detailed his findings of that far more serious charge on his website, noting that the Spoutible API returned data including the bcrypt hash of any other user’s password, plus 2FA (two-factor) secrets and the token that could be reused to reset a user’s password.