Last week, news broke that Spoutible, a Twitter alternative, had exposed sensitive user data thanks to a leaky API. In this post, I’ll explain what data was leaked and give you some tips to protect yourself from the fallout of future breaches.
What happened?
Someone (we don’t know who) discovered a vulnerability in Spoutible’s API, which allowed them to collect sensitive information about the social media sites’ users. This person then notified Troy Hunt, security consultant and creator of haveibeenpwned.com, a site that lets you check if your data has been exposed in prior data breaches.
Hunt investigated the problem and contacted Spoutible, who then fixed the leak. Hunt also wrote an excellent blog post detailing the results of his investigation.
The leak
So, what kind of information was leaking from Spoutible? Email addresses and phone numbers, for starters. That’s bad, because user contact details are not meant to be public and can open up Spoutible’s user base to increased spam and scams. But, as Hunt soon discovered, it got worse.
The API also returned users’ hashed passwords. These are essentially passwords that have been mathematically scrambled to make it hard to figure out what they are. However, it’s actually easy to work out what the weak passwords are. This means that whoever knew about the API leak could have obtained the credentials of any Spoutible user who used a sufficiently weak password.
Spoutible offers two-factor authentication (2FA) using an authenticator app, so you might think that users with weak passwords would be safe if they had 2FA enabled. Unfortunately, that’s not the case as Spoutible’s API also leaked users’ 2FA secrets. A malicious actor who has that secret can add it to their own authenticator app and generate the 2FA codes needed to successfully pass a 2FA challenge.
Finally, Spoutible’s API leaked users’ password reset tokens. This means anyone who knew about the leak could change any Spoutible user’s password.
The one silver lining in all this is that the team at Spoutible responded quickly when Hunt contacted the CEO, Christopher Bouzy, to let him know about the problem.
According to Hunt’s timeline, Bouzy and his team plugged the leak the very same day he contacted them and notified users of what happened shortly thereafter.
How to protect yourself
As Hunt advised, after a breach like this, users need to change their passwords and reset their 2FA. But personal data that leaks, like email addresses and phone numbers, are not so easy to change. And once they’re out there, users can expect to receive more scam emails, texts and calls.
You can help protect yourself from this by not giving out your real email address or phone number when signing up for new accounts (unless it is absolutely necessary). Instead, use an email alias and a VOIP number.
Email Aliases
An email alias is an email address you give out in place of your real one to protect your privacy. Any emails sent to the alias are then forwarded to your regular inbox. The great thing about aliases is that if one starts to receive spam, you can easily disable it and emails sent to that address stop hitting your inbox.
Some email providers come with built in email alias functionality, but there are also standalone tools that handle email aliasing for you. I use SimpleLogin to manage my aliases, but there’s also DuckDuckGo Email Protection, Firefox Relay and Addy (formerly Anon Addy), among others.
VOIP Numbers
A VOIP number is essentially a virtual phone number. If you’re in the US, you can get a Google Voice VOIP number for free. You can also buy inexpensive VOIP numbers from MySudo, Firefox Relay, Hushed, and others. For example, I pay $10 a year for a MySudo VOIP number.
You can then give out your VOIP number instead of your real phone number whenever you sign up for less important services. That way, if a company starts spamming you or suffers a data breach, it’s the VOIP number that receives the unwanted calls, not your real phone number.
The takeaway
The Spoutible data leak was unfortunate, but leaks and breaches are increasingly common. Email aliases and VOIP numbers are tools you can use to keep your information private, even when the worst happens.
The Spoutible app will not work on my iPhone anymore and I get a message that my firewall settings will not let me connect to Spoutible on my desktop anymore. I have changed no settings. Any suggestions?
Sorry to hear that, Suzanne. I know Spoutible has a ticket system, but if you’re not able to connect to their website then you won’t be able to submit a ticket. I believe Spoutible’s CEO is still quite active on X/Twitter, so you could try to reach him there: https://twitter.com/cbouzy Good luck, and I hope you get it working again soon!