In a recent data breach, the API of social media platform Spoutible exposed private user information including hashed passwords, 2fa secrets, and password reset tokens. The leak was discovered by security researcher Troy Hunt and has since been fixed by Spoutible.
Hunt detailed the extent of the breach in a blog post on Have I Been Pwned. He found that through the compromised API, user names, email addresses, IP addresses, and phone numbers could be accessed. This type of 'scraping incident' has been seen before with other platforms like Trello and Facebook.
Additionally, Hunt discovered that Spoutible passwords were hashed with bcrypt, which provides some level of security. However, weaker passwords could still be vulnerable to cracking. Furthermore, the API exposed 2fa secrets, which are used to generate authentication codes. By obtaining these secrets, hackers could bypass 2fa entirely.
During his investigation, Hunt successfully retrieved 2fa tokens for a test account he created. He also found that the API leaked users' 2fa backup codes, which could be decrypted within minutes due to their short length. Furthermore, full tokens for resetting account passwords were also exposed.
Spoutible confirmed the breach on their website and assured users that "decrypted passwords have not been captured." The platform recommended that users change their passwords and reset their 2fa settings as a precaution.
Following the discovery of the leak, Spoutible took steps to address the issue and has since resolved the vulnerability. They emphasized the importance of maintaining strong security measures to protect user data. Users are advised to update their login credentials and take necessary precautions to secure their accounts.
Overall, the incident serves as a reminder of the ongoing threats to online security and the importance of vigilance in safeguarding personal information. By staying informed and practicing good security habits, users can reduce the risk of falling victim to data breaches and unauthorized access to their accounts.
Source: Troy Hunt
English (US)