A startling revelation by security consultant Troy Hunt sheds light on a significant security flaw within the Spoutible social media platform. The exposed API, discovered by Hunt through a file shared by an individual, disclosed alarming details of 207,000 user records. The information retrieved included standard data like usernames, names, user IDs, and bios, but went further to reveal highly sensitive data such as email addresses, IP addresses, verified phone numbers, bcrypt-hashed passwords, seeds for one-time passwords, bcrypt-hashed 2FA backup codes, and password reset tokens.
Hunt emphasized the unnecessary risk posed by Spoutible’s decision to return hashed passwords, especially considering bcrypt’s vulnerability to attackers armed with weak password dictionaries. With a compromised password and seed, an attacker could easily access a user’s account, with the exposed password reset token allowing immediate account takeover. Hunt alerted Spoutible founder Christopher Bouzy, leading to a swift API modification to limit data exposure. While the company acknowledged the incident, they downplayed the impact, stating that “decrypted passwords and direct messages were not disclosed.” Users are urged to change passwords, reset 2FA, monitor accounts, and invalidate keys on connected platforms.
