Hacker News new | past | comments | ask | show | jobs | submit login
“I’m selling data of 400M Twitter users that was scraped via a vulnerability” (breached.vc)
510 points by prakhar897 on Dec 25, 2022 | hide | past | favorite | 280 comments



Some previous commentary https://news.ycombinator.com/item?id=34123707

It's not just real email addresses, but this leak (if real) could have also de-anonymized a bunch of people if they were foolish enough to use their real name, or their email address that has this info


>The seller told me they scraped the data using the same set of weaknesses in Birdsite APIs that allowed the scraping (and publishing) early this year of profile data on 5.4M Twitter users.

Sigh... So many of the massive social media leaks are just people taking advantage of their publicly documented APIs.

I fear more services will stop providing public APIs and maybe even use constantly changing obfuscation like Snapchat and TikTok to make it harder to use their internal APIs.


It's using a vulnerability, you should not be able to get emails and phone numbers for any profile except yours using any Twitter API.


> constantly changing obfuscation like Snapchat and TikTok to make it harder to use their internal APIs.

That sounds interesting. Can you point me to some resources to learn more about this?


Snapchat's API call obfuscation:

https://hot3eed.github.io/snap_part1_obfuscations.html

This one about TikTok was recently on the HN front page:

https://www.nullpt.rs/reverse-engineering-tiktok-vm-1


Gee I sure love being forced to enter my phone number into every app I use so there is a nice big single point of failure that apparently can be taken from me with basic social engineering of phone company employees.


It's like the fail of using a social security number or email as a primary key, except it's also a potential listening and tracking device.


Ironically, this data dump could prove particularly useful for me.

I have a Twitter account for which I no longer remember the username, and have lost the password. It is, and has been for years, impossible to recover the account, because of a circular dependency in the lost password / account recovery form. I've been tweeting at Twitter Support for years with no avail.

Looks like I can just search this data for my email address and find out what the account name is.


> Twitter patched this in early 2022 so breach data is 2021 to 2022


The inclusion of Scott Morrison (ex Australian Prime Minister) as "ScottMorrisonMP" instead of "ScottMorrisonPM" could date things to after 23 May 2022 (when he was voted out of office).


That account was created in 2009?

https://mobile.twitter.com/scottmorrisonmp


Australian PMs often think they're smart by changing their account name from @xyzmp → @xyz*pm* → @xyzmp.

I couldn't remember if Scott Morrison did so, but Google results seem to indicate it[1].

[1] https://www.google.com/search?q=%22%40scottmorrisonpm%22


Wayback doesn't show he changed his name, it only cached the site twice. Once redirects to the home page, another says account suspended. http://web.archive.org/web/20210801000000*/Twitter.com/Scott...

Meanwhile ScottMorrisonMP has no dip in caches. http://web.archive.org/web/20210801000000*/Twitter.com/Scott...


This really shows the importance of apples hide my email feature. I’ve been using it where ever possible. However, I think I might go back through my online accounts and make sure I’ve got it setup. Generally, my phone number has been with spam centres for a while now. I’m not changing it, because it’s so much friction to change it. Right now, I hardly ever take calls because of the massive spam influx. I’m not sure getting a new number will fix this because they cycle numbers and you may just get the spam from a different person. Right now my phone is pretty good at blocking most spam I get through the phone. Not sure how it does this..


Unrelated, but I had no idea how bad spam calls were until moving to Canada I had a total of maybe 5 spam calls in 30 years in Belgium. Meanwhile I get 5 per week in Canada. Absolutely insane :/

Edit: wording


Your experience in Belgium is similar to what people describe when living in Germany. Apparently, the fines for telcos are insane when spam calls occur. So there is a strong incentive to prevent. Is it similar in Belgium?


I don't know what the exact mechanism is in Germany, but it works. The only unwanted calls I get maybe once every couple months is random British headhunters who probably got my work number from an email signature or another professional contact some way or another. Otherwise, spam calls just aren't a thing here.


Yeah, but the problems isn't anymore local businesses spamming you. It's foreign people calling, most often with a spoofed local number that the telcos somehow "can't" figure out is not really calling from a different country when the sim was active just a minute ago locally.


Same in France. I never had a spam call from a French company

I get calls from abroad, the phishing kind. They are easy to block if you do not have business there.


There is a do not call me register here in Belgium. Not using this list and calling someone on the list, results in heavy fines.


Depending on your phone provider you can activate a feature that challenges the caller to solve a small problem before connecting the call.

TELUS calls it “Call Control”, and all its subsidiaries offer it. The major phone providers offer it too. It is the only thing I miss from my old TELUS plan.


Interesting solution! I’ve never heard of this but it makes sense, like a captcha for phone calls. I’m in the US and have had to stop answering my phone thanks to 2-3 spam calls per day.

The real answer is for the phone companies to use a protocol that doesn’t allow easy spoofing of any phone number (I believe one has been proposed but not adopted). Hilariously, I even have a medical provider app called Doximity that abuses this network ‘feature’ to disguise a doctor’s personal cell phone as the phone number of their medical clinic.


Some VoIP provider may offer IVR service and one can setup similar mechanism using IVR. I know voip.ms offers IVR.


Move to the US and get 5 per day!


Even better, outside of the illegitimate ones, if your role is at all applicable, Oracle sales reps will essentially love bomb you on a never ending basis and because their turnover is so high, you get a barrage of calls on any given day of irrelevant things. Honestly I wish the phone “app” didn’t exist. If it’s some you interact with a lot it’s very unlikely an unannounced phone call is what they’d go with.


I looked into using oracle cloud servers this year, but gave up after a day or so because the interface was bad.

They only called me once, because I hadn't used the account in a month.

They've only emailed me once since then.


Are you on the Do Not Call List? Have you tried asking Oracle to not call you again?


The DNC does not apply to companies you have a business relationship with - only cold calls.


I don't get why this is the case, surely there must be a huge majority that hates those calls and wants them to stop? Is there some sort of political lobbying that prevents effective laws from being passed?


There is lobbying indeed, the leverage being the call-center jobs.

In France for example, this activity was under scrutiny for decades (2014: https://www.lemonde.fr/vie-quotidienne/article/2014/02/12/de..., 2022: https://www.francetvinfo.fr/internet/telephonie/demarchage-t...), and even if the law is now more restrictive than before : - no week-end call - calls from 10am to 1pm and 2pm to 8pm - you can be included in bloctel, a "do not call me list" it still leave room for this activity.

Almost all these jobs will probably be replaced by AI in a near future, so the main leverage will disappear and ...


That doesn't help offshore call centers dialing to you over VOIP. Different jurisdiction and difficult trace means almost no accountability. That's the problem in the US, plus our congress is of course, the best one money can buy.


I'd also imagine spam calls getting less effective when you get used to them.

But maybe that's not the case?


It’s actually a positive feedback cycleZ those who still answer the phone are more likely To be easy victims.


Mine seem to come in waves. I haven't gotten any, or Google hasn't let any actually ring my phone, in a few days then there will be days with a half dozen.


Doesn't the DoNotCall register work any more?


That has not worked since 10+ years ago.

But I did stop getting so many spam calls in recent months, so I assume ATT or other phone service providers in the US have enabled some type of anti spam measure.


Most of these calls come from illegitimate call centers running scams overseas now.


That and all the damn politicians… who of course exempted themselves


Yes. I occasionally get one labeled as from China.


Hi fellow Canadian resident!

Yes, also from Canada it’s absolutely the worst. I came from the Netherlands, and it’s absolute world of difference. The telcos need to resolve this at a system level and get rid of these call centre software solutions. However, I’m sure Telus/Bell/Rodger are all get lots of money from all these calls so no incentive to stop them.

Can’t help but think that at some point people made the wrong decision along the way.


I would not put any faith in the Canadian telcos at this point. They feel quite outdated, charging insane prices for subpar quality service. (From my experience with Bell and limited Rodger experience).

There are many things they could improve on and I think dealing with spam is probably low on their list.


They used to have the concept of 'airtime' that you paid for, is that still the case?

The effect was that spam calls directly benefited the telcos at the expense of the person called if they answered the call.

I've lived and worked in Canada for many years, the longer I was there the more the outward shine wore off and eventually I just saw it as a loosely collected set of monopolies with the state backing them filtering every dollar from Canadians that they could get their hands on.


I get between 5 and 20 per day in Brazil.

In Canada, sometimes 5 per day.

One trigger here was creating an account in a particular bank. Seems to be breached. Unfortunately Canada is a captive market, we don't have much choice.


Which bank


Unrelated but related: I live in the U.S. and get about 1/week now, down from about 1-2/day a year ago. Using iPhone XS Max (2018) & latest iOS (always promptly updated).

I always hit "Block this number" option before deleting.

Phone company (AT&T) labels some in red as Spam; Apple does the same.


Mandated SHAKEN/STIR seems to have been huge. I also used to get about 1/day, now it's 1/week and it doesn't even ring - my Pixel just gives a notification that I missed a call from a known shady number.

I know no news site will ever get clicks from "Competent Government Helps Solve Real Problem", and I know we're not 100% there, but it was genuinely a leap forward and people should talk about it more.


Canadian and can confirm. It is insane, Insanity.


My strategy is to answer every call but remain silent. 9/10 times they hang up after 2 seconds. The remainder are 50/50 real calls and manual spam calls. My assumption is that the robo dialers are recording the success or failure, and if you answer quickly but stay silent, that's some kind of failure. I've done this for a few years and I feel like I get less spam than I used to. Looking at my call log, it looks like I've had less than 5 spam calls in December.


More effective would be to have a button I can tap in the phone app labeled "waste this person's time", which would automatically attach the caller to an AI designed to maximize the amount of time the caller wastes on each call.


I once made a website where you could enter two phone numbers on. It would call A with B’s caller ID and B with A’s caller ID. After the call it would send an sms/call from the service explaining what happened and they could consent to release the recording for the pranker to listen to.

It was funny to have Pizza Hutt and McDonald’s both think they’d called each other. Or two people standing right next to each other.

I nearly got in quite a bit of trouble when someone pranked two high level people in the military, and they decided to have a conversation they probably shouldn’t have had on personal cell phones.

It was fun while it lasted… but I wonder if something like this could work for spam calls. Basically instead of forwarding to voicemail, have it route to some pre recorded messages you make “yeah” “hello” “I didn’t hear that, can you say that again” and loud background noises playing. Then it can send you the recording as your “voicemail”. Could be fun.


You’ve described Lenny (well, without the AI)

https://www.lennytroll.com/

1 (347) 514-7296


If you hide your email but can't hide your phone number and companies like twitter or google will not let you create an account without, that does nothing to your privacy.


We need a phone number v6 as well, with vastly more possible entries. Having hide my phone number would be a great service.


You just described what email addresses have turned into


For anyone not using Apple devices, DDG has email generation built into their browser plugin. I'm not sure if it's in their broswer app, but I'm sure they will add the feature.


> Right now, I hardly ever take calls because of the massive spam influx.

Perhaps Apple ought to follow Google into the AI-assistant-powered call screening business.


I feel like it’s already doing this but I’ve set it up in a weird way. I’ve changed my notifications to make a sound when it’s from my contact list ( or can be found in a footer in an email inlever received) and else it will be silent.

I hardly ever get an unknown important call that doesn’t fall in those categories. This has me not picking up the phone for spam calls, but I hardly ever miss an important call.

There are other things I’ve setup that I don’t want to go into because they can be solved by the spam callers and I’d like to keep it a secret ;)


> This really shows the importance of apples hide my email feature

But what if Apple gets hacked? They still know your real email, right?


So you’re saying Apple AND dozens of other companies, most of those with worse security, having my email address is JUST AS BAD as ONLY Apple having my email address?


Technically I could setup my email on apple as another fake email that redirects to the real email, and build a wild system of multiple proxies.


Hmm if i made a twwitter account 7-10 years ago (iForgot when exactly, haven't used it in ages) did they require a phone number then, or it only leaked my email which is already leaked anyway?

Edit: thanks, all the reasons listed to give them a phone # dont apply to me so Im safe


Thy have never required a phone number for account sign up. So unless you either a) used it as a form of 2FA, b) you got put into a “time out” for what ever reason and Twitter required a phone number to unlock the account, you didn’t have to give them your number.


For many years now, twitter automatically shadowbans new accounts if they did not supply a phone number during sign up. This is of course just a ploy to collect phone numbers. The reason they give for the ban is is that their terms of service have somehow been violated, even if the account has never posted anything, but the violation magically goes away if you provide a phone number. In the past, you could also write a mail to some support email address, but that took a few weeks even before most twitter employees got fired.


I have a number of twitter accounts. My main does have a phone number attached but the others do not and they are not shadow banned.

(Only reason I attached a number to my main is because I needed API access many years ago, for years before that it never had a number attached to it)


Twitter has an extremely nasty dark pattern for accuiring your mobile number.

So much so if you pay and use a temporary number from services like OnOff. Twitter cleavely detect this and never sends you a verification code.

You need to use a number that is likely tied into a major phone network, most people will do this, as for the privacy conscious like me I had no way of circumventing the measures Twitter had in place at the time. It was very frustrating.


Well as of late even big providers are not sending verification codes. My main has a number attached to it (for api reasons), but the other day I needed to log in on my freshly reinstalled laptop and choose phone as my 2FA device was in another room as I was being lazy, and I never got the code even though I must have validated it in the past.

It was around the time that Elon tweeted out something about telcos sending out spam sms in twitters name.


Twitter required a phone number to use the API.


But not all users are API users. I would say API users are the minority of users.


There was a bug for a while (not sure how long) when account signup with email didn't work. It was going through fine but after everything was set up, you couldn't continue without phone number and it would not activate your account. I'm not even sure if it was a bug or just a test how many people would continue?


Flagged IPs probably get different levels of scrutiny.


This is why I dont register with real data ever anywhere. They do not need my email or phone number for anything but they will store it and likely are not capable of protecting it more than a few years.


> This is why I dont register with real data ever anywhere

Meaning you don't have a twitter account or do you use a burner phone?


I was not required back when I registered on twitter.

And yes I do have some burner phone numbers too if I need one but I generally just dont use services that need it.


I don't think I ever gave twitter my phone number. Was that ever a requirement or is that just in case you need to reset your password?


It is not a requirement but if you don't provide it your account gets suspended as soon as you tweet. This happened to me multiple times.


There’s a limit to this though. What about shipping and billing addresses? Credit card numbers? Do you just not buy anything at all online?


If it serves a purpose then that's a different thing and must be evaluated case by case. But if it serves you nothing then just dont enter your real data ever.


I know this was from before the takeover. But this is only going to happen more now that the remaining staff at twitter are overworked and burning out.


There's no meaningful evidence of remaining staff being overworked or burning out


It's a logical extrapolation from the 80-hour work weeks and huge number of people fired.

If they're not burning out yet they will be. You can't gut that much of an organisation in one go and expect it to still function.


They've made performance improvements since the layoffs. It's clearly functioning fine.


You know this how?


Look at the users comment history, literally the whole first page is only him nonstop defending musk in different threads. Wish I could post that pic of weird nerds protecting elon and his companies from valid criticism


There's a difference between defending Elon and calling out bullshit. There's plenty of legitimate reasons to criticize Elon. Making up things that are entirely unsupported by evidence, and with strong evidence to the contrary, is tremendously exhausting to read all the time - so yes, I comment and point it out.


An 80 hour work week is over-work and will lead to burnout.

I'm not sure what evidence you're looking for, you can take Elon at his own word that he is expecting the remaining employees to shoulder significantly higher burdens than normal. You don't build bedrooms inside of an office when your employees have a healthy work-life balance.


I’m assuming maliciousness on the part of an exemployee


If you'd read the link it's clear it's from a vulnerability


Should be able to use the follower counts to pinpoint the exact date and time of the leak, if anyone cares to do so


Also if you want to verify the data is legit you can pick a random verified user and try to send them $25 with Venmo. It will ask you to confirm their phone number. Sure looks legit to me though.


There's a simple zero knowledge proof to show that you actually have the data. Have a CSV of username + salt + hashed(salt + email) + hashed(salt + phone number) , etc.

Users can check their own email/phone/etc to verify that the attacker has the data, without the attacker revealing the data.

I'm surprised this doesn't happen more.


[DELETED BY USER] The below commenter is correct.


I am guessing that this was relating to certain individuals having Hotmail accounts, rather than more official sounding email addresses? I won't repeat any addresses here, but it did strike me as odd too. Hell even I have a @mylastname.org email address and I'm a nobody.


Having an email address at your own domain is incredibly risky for most people - because it requires them to reliably renew that domain name every year for the rest of their lives.


FUD - No it doesn’t. Just renew it every 10 years or whatever max renewal is available. Absolutely no requirement to do it every year. You will also get multiple minders and grace periods if you forget too.

That’s not to say ‘most people’ should have their own domain, but renewal is one of the least tricky aspects of domain ownership.


So there is a risk to some extent - if you forget to renew and ignore any reminders you receive you'll lose your domain and access to anything attached to it. But that's like saying you shouldn't get a mortgage and buy a house, because if you stop paying your mortgage at some point and ignore your bank's increasingly anxious and strongly-worded letters then you'll lose your house.


Regardless it’s inappropriate to republish that email address unless he displays it publicly himself


You are correct, I’ve edited and removed it. Thank you for pointing that out.


A lot of the sample phone numbers seem to be some dummy number "+0000 2009". Is that a secret way around phone number requirement for twitter accounts?


That’s just a date value, “+0000” means UTC and 2009 is the year. If the value is in the phone field, might be a glitch or hidden value stored in the phone field that has a meaning that is undocumented; for example that the account was created prior to the phone field being added, though that seems unlikely, since my understanding is Twitter started out as phone-based.


No the phone requirement came way later.

You used to be able to sign up with just an email address then they started forcing phone number verification by lying and saying they caught your account acting like a bot so you needed to verify you’re human using phone number (you got the message even if you did nothing or just followed a few people, total lie)


How did twitter start as an sms system without requiring phone numbers?


They pivoted away from being an SMS system and that became a legacy part of it, that still worked but wasn't essential.

The part where Twitter was SMS only is like a footnote in its history.


Point is that generally speaking databases rarely delete fields once added, especially field as valuable as a phone number; as such, my assumption is Twitter has had a field in their database for a user’s phone number since it was first released.

Twitter’s been collecting phone numbers since at least late 2006:

https://web.archive.org/web/20061103054924/http://twitter.co...


So what you are saying is that when they started they required phone numbers? As in, what the commenter I was replying to wrote was not true? The 'footnote' in history seems pretty important when the whole point is that ignoring it leads you to assume things that are wrong.


That’s the time zone offset and year of the “created at” timestamps.


I think it's part of the account creation date, not all accounts have a phone number.


I’ve done something similar and my guess is they preformed a migration in 2009 and didn’t want to force current users to provide phone numbers so they used the default value as a placeholder/note that reminds them to special case these users who were grandfathered in under the old rules.


From a cursory look the 1000 sample names seems legit, if it’s fake they at least did research to get plausible area codes for phones and some plausible domain names for some celebrities email addresses.


More than a couple people are going to need new email addresses.


And phone numbers.


At least one phone number from the sample is Google-able to be correct.

At least one name and email address among the non-trivial ones is also correct.


The linked post just seems odd in general.

1) I've seen s lot of leaks being ransomed by hackers and hacker groups before and this post seem a bit amateurish (terms, payment, reference to GDPR, name calling Elon etc)

2) That's not how GDPR fines work (the numbers referenced in the post regarding 400m users). The previous fines were given because of the lack of notifying the EU regulators. Not because of the size of the breach. If Twitter is only made aware of this leak now, they can send the reports now and then work on their internal investigation and no fines will be given.


Guesses...

Seller is or was Twitter employee at some point this year.

Multiple users on the thread are the same user (the OP).

This has been planned since the Elon takeover as a plan B in case things got sour...they got sour.


Assuming this is real, how much could this data be worth?


To whom ? For some on the list it could be worth their life. To a hypothetical buyer depends on how effectively he can exploit/resell the data.

I suppose you mean how much it could be sold for ? The easiest/safest buyers is probably the company itself paid for by their insurance policies. Such policies will likely cover ransoms in the millions.

However with the current Twitter management it probably won't work, Musk may even not be paying the premiums given that he is not paying office rents or more likely be unwilling to negotiate .

For any other deal it is depends a lot on the seller and buyer. You wouldn't want to be drinking polonium after driving hard bargain with the Russians after all.


I talked to the hacker, he's asking for $50K


I may be wrong, but I believe this is information that was already available to you using the API. The only difference being that they have downloaded all the data and compiled it into an easy to use CSV. So I could see a lot of small-time spammers wanting a copy, but I don't see it being terribly valuable, like actual privative data might be.


There was a publicly available API endpoint to query email addresses and phone numbers given a Twitter handle?


I'm genuinely curious about this too. I've never heard about such a thing to exist.


They used an exploit in the public API. You're not supposed to be able to get this data about any twitter account (except your own).


I believe this is not correct. You are definitely not able to get random people's (including government officials) phone numbers and email address using the API.


They were through a bug in the API.


I never trusted the Twitter backend, so have always used an anonymized phone number, birthday and email

I'm glad I did

Just need to change my phone number and I'm set.


Same I just checked and I have completely fake details and a throw away email. I love it when my past self does cool stuff !


What services do you use for anonymized phone number?


I used Google Voice with a couple layers of indirection. Some day I may get a burner prepaid phone if I'm even more concerned about my identity.


Is the leaker from India?

The sample includes high profile US accounts (who are globally known) and high profile Indian accounts (that are not globally known).


Leaker probably wanted to prove it's not just US accounts.

It's pretty easy to google "big India twitter accounts" or "big China twitter accounts" - there is a China newspaper on the list, a France Gov agency, ...


Seems likely that they just did ORDER BY RANDOM rather than picking and choosing.


I'm happy I haven't given in and didn't agree to hand them over my phone number, in spite of all grey patterns they used. In the end, I just consume Twitter, and for that Nitter is not only enough, but far superior than the original.


This reminds me of how some people these days don't publish an email address on their website, but rather a twitter handle, expecting you to send them 'direct messages' them.


If this db contains phonenumbers everyone has effectively been doxxed. All sites requiring phonenumbers should be outlawed or get shut down if they have any breaches, this is potentially a privacy catastrophe and potentially dangerous for thousands of individuals.


Discord is the worst offender because it only allows one phone number to validate one account.

Meanwhile I have multiple Google and twitter accounts validated through one phone number.


Makes absolutely no sense now lots of businesses are using Discord so how are you supposed to have a business Discord account.


You don't need to verify.


For many communities on Discord you must verify to gain entry.


That's the community's choice not discords... https://support.discord.com/hc/en-us/articles/216679607


And discord is making it impractical for those communities to make that choice


How?


Please read this comment chain from the beginning


Your comment still doesn't make any sense. Either you want the highest verification tier and go with phone verification, or you don't. It's your choice as admin. As a user you can just delete the phone number from one account and use it to verify another... you will have a timeout [2] but both accounts will be verified. Is it annoying? Yes. Is it understandable to rate limit it? Yes. Is it impractical? No.

[1] https://support.discord.com/hc/en-us/articles/4413460214807-... [2] https://support.discord.com/hc/en-us/articles/360000961212-P...


I can't remember why but I had to switch my phone number from my personal discord to my work discord, either to get it to allow me to login from my iOS Discord or something else asinine. I remember it took me maybe 40 minutes to get into the thing, haven't seen anything like it.

So yeah, essentially you do need to verify.


They're weird about it, sometimes you have to and sometimes they never ask. It's not like Twitter where you can use the site for an hour before they force you to verify. They probably do it so people will say what you said when people point out the problems with it.


Personally I've had google accounts locked and suspended for using the same phone number on multiple accounts.


Twitch requires your phone number to a) become verified (because apparently paying them every month for 5 years is not a verification) and even dumber, b) to enable TOTP.

And people on the Twitch subreddit insult you for even questioning this issue, even after they had a data leak. And yes, that's a majority opinion over there.

It's sad.


Some communities (fandom is probably a better word) are more like cults of personality than actual communities.

Given the fannish nature of Twitch and its audience in general, this level of almost religious fanboying and "how dare you question the Gods" mentality is very familiar (my teens and 20s were spent in fandoms - first anime, then comics, then furry).

I've seen this in every single one of them to some extent, but especially furry and Twitch. It's sad, because -- as they, sunlight is the best disinfectant -- and all this does is block the sunlight and discourage people from talking about issues.


Both twitch and YouTube's subreddits aren't moderated by staff, but by random tryhards. If they don't like you, you're banned. Reminds me of Wikipedia.


Reminds me of furries, and a lot of other fandoms actually.

A: "Hey I had a problem at the con this weekend"

B: "How dare you talk about that, that's DRAMA! Take your DRAMA elsewhere, LLAMA. I'll have you know the guy who runs ConWeekend is my best friend! You're Banned for life! Long live ConWeekend! And here's that Japanese BANNED meme video to play you out! HAHA I SAVED THE FANDOM!"


Tbf, that's what I expect, most subs are community-run. But even if not, that'd be telling me a lot about the community.


You don't sign into a website forcing you to give them your real phone number if you fear being doxxed. How can anybody feel "anonymous" at that point?


I put a fake phone number into Twitter and a throwaway email. Got a few complaints about not having verified my number, then got banned for breaking the rules.

“Your account is permanently suspended After careful review, we determined your account broke the Twitter Rules. Your account is permanently in read-only mode, which means you can’t Tweet, Retweet, or Like content. You won’t be able to create new accounts. If you think we got this wrong, you can submit an appeal.”

I can’t even follow anyone, but at least I can read tweets.

As I tweeted nothing nor indeed followed anyone all I can assume is that you have to have a real phone number to sign up.


Maybe you don’t but plenty of people do. There’s a huge middle ground of people who aren’t aiming for “anonymous” and who aren’t doing professional opsec, but still expect not to have their pseudonymous online identities linked to their real-world-identity phone number.

OP is right, this is a privacy disaster.


Companies know that people think like this nowadays, so they only require the phone number after you are already invested into the service. Twitter had this where they would allow you to not set phone initially, but then ban you some time later and require it to lift the ban. Microsoft also bans you for “suspicious activity” and the only way to unlock account is to “verify” your number. You can only contact them about it via another ms account or… by phone. Fuck everything about this tbh.


For everyone to know, Instagram does this too in a way. They would let me sign up with just an email, verify it, then at first login auto ban me. Giving me the option of appealing and tracking said appeal by giving them a phone number.

The only way I could resolve it was by using a phone number. Meanwhile they've harvested 2-3 of my anon and temp emails.


Twitter doesn't require a phone number anymore. You can use it via the website or a mobile app. I have a an account from 2014 and it does not have a phone number associated.


You can create an account without a phone number, but the account is suspended as soon as you post anything.


Yes.

This happened to me.

I made an account, not using a phone number.

I then did not use it, for something like a month.

I posted - and the account was suspended, I was emailed, "you have violated our T&C, please provide your phone number to validate your account".

I may be wrong, but to my eye, they were attempting by deception to trick and force users into handing over their phone numbers.

I explained I had no phone number, and I had not posted at all, so it was hard to see how I had violated the T&C, and the account was unfrozen, and has been fine since then.


Exactly. This happened to me multiple times. I even had accounts for some of my side projects with phone numbers that got suspended.


> Twitter doesn't require a phone number anymore. You can use it via the website or a mobile app.

You used the word ”anymore”.

Obviously, you are implying that Twitter required a phone number in the past, but because you did not specify the time of the change, we must assume. It could be that phone numbers are not required since an hour ago or a year ago.

Regardless, if it was a requirement, chances are high that a good portion of the 400+M users in this (supposed) data breach were encouraged to share their phone number with Twitter.

Not to dismiss your contribution but if you have to write ”anymore” I don’t see the point of your comment.


I don't know if something has changed recently but at least as of 2016 when I signed up for a new account, I got immediately placed on a suspicious user list and had to use a phone number to prove I was a human. It was just a prepaid cell phone number that I don't even remember anymore so I don't know how it helped anything but yeah.

I suspect twitter did this to pretty much everyone.


Twitter originally was done via SMS, that's why status lengths were limited to 140 characters. So, obviously you needed a phone number when it first started.


It was never only sms though.


> Twitter originally was done via SMS, that's why status lengths were limited to 140 characters. So, obviously you needed a phone number when it first started.

This isn't what we are talking about. We are talking about requiring users to "prove they are human" by giving Twitter a phone number and then entering an authentication code that they text to that number.

It doesn't accomplish anything because I can get a new SIM card and a month of "unlimited" talk and text prepaid service for about USD 20(?). I didn't think of it much but looking back it is clearly a data grab.


Stallman has a note about it from about 2017 along with a note that one of the criteria was being a Tor user at some point: https://web.archive.org/web/20170224183228/https://stallman....


What about for multi-factor auth? Are these phone numbers leaked too?


From the csv sample fewer than half include a phone number.


Deleted. trifurcate is right.


> And for once it’s the people in power that are going to be disproportionally affected

Seriously? The people in power probably have many, many phone numbers, and getting a new one is not such a big deal.

Getting a new phone number is a much bigger deal for people not in power, and so are the possible negative outcomes from this (e.g. revealing the hidden identity of stalked or politically prosecuted individuals who are not in positions of power)


That's a good point. Perhaps a weaker claim is just the idea that people in power (or more generally, people of influence) are as likely to have skin in the game, which can only drive engagement on the issue. That's different to many issues for which those in a position of power are often less affected directly.


I think you may be over-estimating the technical competence of "people in power" there.


[flagged]


Please adhere to the HN guidelines for commenting.


I don't think there's a lot of love out there for Facebook


I don't know what you mean, plenty of people shit talk FB and much of it is deserved.


Pretty sure this comment is related to that recorded teleconference Elon joined to let everyone know that if you dox, even if you tweet about someone else doxxing and link to them, you're banned.


Wow, Steve Wozniak has a really nice phone number!


Do we know when this happened? Pre or Post Elon?


Krebs article was published today so I’d bet it’s post Elon.


People are saying it's from 2021, I don't even see a Krebs are article on this yet.



As others have mentioned, the time range of when the data was scraped seems to be end of 2021 to start of 2022, maybe into mid 2022. If correct, that was certainly before Elon Musk took over, probably even before he made his initial offer.


Same, I need to know if I should enter damage control mode and deflect this from Elon or if to simp for him if this happened before. Very important information


It's interesting how celebs use just their plain names @ gmail.com as the username, just like most people. Wait, celebs are people too I guess, right? Ha ha....and I saw one even adding their birth year at the end of the username/email, or just the 2 digits. That became a thing especially for early 90's kids. I did it, and I still see many with that, and I cringe. Like, please realize you are giving your birth year away and that should remain private.


Elon refused to pay $50k to the ElonJet owner and we all saw how that turned out, ...

The smart move here might be to pay the hacker.


I think that makes the reference class "Buy Saint Vincent and the Grenadines, yes the country, to gain control of the TLD that this forum is hosted on".

Probably cheaper than Twitter, Saint Vincent and the Grenadines' GDP[0] is about half of SpaceX's revenue.

[0] yes I know that's not the same thing as "net worth", and also countries are not generally for sale, despite things like the Alaska and Louisiana purchases.


Breached did get taken down some months ago when it was on the .to TLD. Elon might have been ahead of his time?


Refusing to be extorted is now worth criticizing?


I was excited about Musk buying Twitter and his supposed free speech agenda. Yet lol free speech when it only suits him as well the constant changing his mind and broken promises. I once again deleted Twitter off my phone.

If this hack is true Musk buying Twitter shows he is no genius or ever was. He's just another ego maniac Trump type which the majority of the public is tired of


What does this even have to do with elon?


> Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively,


Paying the criminals wouldn't help here. First, there is no guarantee that they wouldn't release the data anyway, second, the data already got leaked - criminals who were responsible for it have access to it, third, they publicly posted the information they have access to it.

Instead, the proper solution is after verifying legitimacy of the leak to immediately (within 72 hours) notify supervisory authority and users about personal data breach according to Articles 33 and 34 of GDPR.


Heh, a bug bounty in disguise.


Sounds more like extortion


Pretty sure that's not how gdpr fines work.


The link is not working anymore. Did Elon buy the exclusive rights?

Edit: works again.


Works for me. What error are you seeing?


I wonder if they be fined 4% of their revenue under GDPR


They can be breached and in compliance with GDPR. Basically you need to do 'best effort', avoid holding on to data you do not need (data required for verifying logins, password recovery would typically be 'data you need') - and report breaches to the authorities and end users.

The GDPR does not make impossible demands like "never have a security breach".


If real, some people may basically face the death penalty in countries like Iran with the current situation. Anyone with anti-regime content and identifiable attributes in the leaked database is very stressed now.


Would users from those countries even be able to use their local phones for verification?

I would have assumed any kind of banned interaction with the USA’s baddies list countries (e.g. Iran, Syria, or North Korea) would apply to allowing users to sign up with phone numbers as well.

Though I guess there’s always cross referencing known contacts of expats and dissents.


True, also enabled by state actors apps/servers like Palantir.

For recovery and nonrepudiation purposes, storing a salted hash of the phone number would be the wiser course. If using SMS for notification, services like Twitter should have API callbacks and delegate the problems of multi-platform notifications to a trusted third-party similar to credit card processing.


A salted hash of a phone number is both useless and pointless.

You can easily brute force the narrow key space if you’re trying to verify if it’s “known”. And if you want to send an actual message you need the full value.

Sounds more like you want to outsource user verification and receive an opaque token for future validation.


Can't brute or rainbow table a salted HMAC, even if the keyspace were 10^10-10^13 because 1. nonces and 2. sufficient number of iterations, mem/cpu/gpu/asic-hard, scrypt-style.


You could turn the verification around. Instead of texting a value to a phone number and asking you to toe it in, you say “Text this number to 40404: 123456”

Then, wait until someone texts that number in, and salt/hash the caller ID number and compare it to what you’ve got stored. If there’s a match, then you’re authenticated.

Probably lots of issues with this from ux perspective…


I think the main problem is that SMS sender numbers can be easily spoofed (might depend on country, operator, …), so relying on “this message came from where it says it came from” is not really possible.

It might not be an issue for some types of usage, but sounds risky if used for account security/recovery/etc.


If you keep your number private it won’t matter. In fact you could spoof the number on purpose for an extra layer of security.


Phone number verification (of any kind) is supposed to make sure that the phone number provided belongs to the account owner.

If the number is not actually validated in a secure (enough) manner, there's no point in using phone numbers at all.


Why not just have the user enter their phone number? You only store a hash of it and only verify whether it is indeed the one they registered with, and use the real one only for the duration of sending an SMS.

Not too secure, as phone numbers are easy to crack (possibly with randomized salt, that even twitter has to “brute force”?), but at least not every entry will be easily readable.


SMS shortcodes aren't international.


You could give the user a list of phone numbers sorted by country.


It's not 2FA if a secret comes from the same channel as the login one.


>trusted third-party

This is something Signal should look into if they're interested in an alternative revenue stream.


Can you expand a bit on how apps like Palantir could be used for this?


Is that Alex’s Morgan real phone number?


Who else suspects this is retaliation for Twitter files?


> Who else suspects this is retaliation for Twitter files?

There’s literally nothing to retaliate about in the Twitter files it’s entirely a nothingburger dressed up for outrage points.

This data is also from 2021 to early 2022 before Twitter files was even a thing.


How can you tell it’s from 2021?

Even if it’s a nothingburger, putting out bad PR for FBI and CIA has got to make you some powerful enemies.


From the seller in a reply:

> Twitter patched this in early 2022 so breach data is 2021 to 2022


The strawman of using the date of breach here is asserting that the breach was in response to another event.

Timeline of releasing the breached data can be correlated with another event, but the date that they obtained the loot is irrelevant. They could have simply purchased this from an unknown 3rd party themselves. We simply don't know.


It does matter, because it represents the difference between two different scenarios that don't have the same chance of occurring:

1. The FBI/CIA hacked Twitter and leaked their database in retaliation for the "Twitter files"

2. The FBI/CIA hacked Twitter (or someone else did and they obtained the data) back in early 2022 (for an unknown reason), and are now leaking the data in retaliation for the "Twitter files"


Or it’s 3?

3. FBI/CIA hack Twitter as soon as they can compile enough justification. Use data whenever it is useful, including retaliation.

Based on Snowden leaks, it wouldn’t surprise me if Twitter was hacked very soon after it was created.


This data was allegedly extracted using an exploit in the Twitter public API sometime in early 2022.

The seller could be lying about that, but there is relatively strong circumstantial evidence that suggests they are telling the truth.


What’s the evidence?

It’s moot anyway, since they can always filter their stolen databases by potential methods of exfiltration, so the dump looks like it only used a certain vulnerability.


> What’s the evidence?

To be honest the evidence for anything in this discussion is circumstantial and probably spurious at best.


All we know for sure is that someone is attacking Twitter via blackmail via hacking just after Twitter released bad PR for some of the worlds most powerful hacking organisations.

All the skeptic comments in this thread seem to worry about the veracity of the claims, but that’s irrelevant to the question of would FBI/CIA retaliate.


The “Twitter Files” showed Twitter was actually doing a better job at being balanced and fair than I thought they were. It’s embarrassing that anyone who read those threads came away thinking this was proof Twitter was doing evil things.


The irony of the Twitter Files, which showed Twitter leadership going through a painstaking process of determining what sort of actions they would take and the impacts in both directions of taking vs not taking an action, before coming with a decision, being released at the same time as ElonJet was banned, with a post-hoc made up BS policy of banning “doxxing” (which ElonJet wasn’t, by any definition of the word), followed by an arbitrary decision to ban certain 3rd party links with that arbitrary decision then being arbitrarily partially rolled back (?), was way too ridiculous.


The FBI and CIA were driving the removal or soft-censoring of speech that the US government didn't like. People spent a lot of the last decade saying that this never happened and that Twitter was just a private company operating on their own, instead of being the censorship arm of the government and in many cases staffed by ex-government...

Also, I wouldn't call Twitter's original moderation fair or balanced. There were clearly voices within who thought they were trying to fit policy to decisions they'd already made post-hoc. (Unfortunately if anything it's even worse now.)


> The FBI and CIA were driving the removal or soft-censoring of speech that the US government didn't like.

There’s no right to post CSAM or revenge porn on the internet, so of course the FBI “drives the removal” of that, it is their job.

I’ve done legal compliance for this elsewhere, I have turned down government requests without being persecuted in return, and I know for a fact Twitter’s previous administration was one of the most aggressive at fighting back here and put a great deal of legal effort into it. Example of a more cooperative response would maybe be Amazon Ring.

There’s also no right for foreign intelligence ops to post on US social media so of course the CIA has opinions on that, it’s their job. Etc.

(Current example of this one: a Chinese group is flooding Twitter search for different Chinese city names with ads for sex workers, to block people searching covid news.)

All these things happen under the rule of law, not random emails. If you don’t like it, change the law. I don’t know why you’d want to do that though.

I agree people might’ve said something other than this, but those people are amateurs and are wrong; talk to the EFF if you actually need advice here.


Why are you bringing up CSAM or revenge porn when the material and accounts referenced by the Twitter Files were ones that post content that was misaligned with the geopolitical goals of various US government organisations?

See: https://twitter.com/mtaibbi/status/1606701436104245248?s=46&... and earlier parts that show that their own influence campaigns had free reign: https://twitter.com/lhfang/status/1605294195975114765?s=46&t...


No, Taibbi is just lying. You can look up the deleted posts on archive.org and they’re pictures of Hunter Biden’s penis, which I will not link.

Some of them aren’t; these are mistakes. law enforcement can report posts the same way anyone else can, and if they report the wrong ones you can ignore them. They don’t have special powers. It’s fine.

(Also, Taibbi moved to Russia in the 90s, assaulted underage women, and publicly wrote about it in his publication the Exile. This is also a kind of bias.)


Source for Taibbi assaulting women? The only thing I can find is a book chapter satirizing misogynistic expat attitudes.


https://chicagoreader.com/blogs/twenty-years-ago-in-moscow-m...

Him saying “oh I didn’t mean it” only in 2017 when people asked about during a MeToo wave isn’t, I think, particularly convincing.


We can dispute the veracity of dumps without resorting to ad hominem attacks


I think Elon literally hiring a Russian sex criminal to release his news for him is a considerably more notable thing than an ad hominem attack! It’s not like he was the most natural choice. (Not intended as an ad hominem on Elon, who has more than enough problems. Literally I don’t know why he did it.)

He could’ve just had Bari Weiss release everything. (Weiss has, in the meantime, been unfollowed and presumably fired as Elon’s journalist because she tried to mildly criticize him once.)


I did some additional research into this Taibbi person, and in addition to being a Russian sex criminal, it turns out he's done some work as a journalist. I think that might have something to do with why Elon chose him to release the news.


I promise in the real world it is perfectly sensible to not trust a person on any topic if that person is a Russian sex criminal. Journalists interpret events and are not beep-boop robots printing out emotionless lists of facts. You can find a different journalist!


There are a group of people releasing the Twitter Files. Are we going to name call them all as sex criminals? Were any even found to be guilty by a court or are you simply applying dirty tricks? And how is that relevant to the truth of the content? Are you going to respond to me telling me that at the root of this is Hunter Biden's penis?


No, only Taibbi is. I think there’s a third guy but can’t say I know anything about him.

But this is something in the real world, not a logic puzzle, and unfortunately in the real world you actually do need to consider the context of everything using all available information. I mean, you going “this guy is just coincidentally a sex offender” is not the common man on the street’s response, and most journalists are literally not sex offenders.

I don’t know what Elon is doing. He’s of course extremely compromised by multiple governments, I mean he owns SpaceX and a Chinese Tesla factory, and Saudi Arabia (who’s planted spies at Twitter before) is a major investor now. I also suspect Elon doesn’t know what he’s doing, though.


I think you should apply the same criticism and context to your own posts, which literally consist of trying to link information to sex crime in order to attempt to change the conversation.


You have effectively moved the conversation from 'the FBI requesting removal of illegal content' is completely different from'the FBI is acting to enforce censorship of protected speech with twitters willing compliance' to 'is the journalist being an alleged sex criminal relevant'. So lets all stop that line and go back to 'regardless of anyone's past activity raping peoples, you are wrong.' Retort?


The context and text within the emails doesn't match what you just wrote and from what I've seen there were 1000s of deletions -- not only of Hunter Biden's penis as you imply...

It makes zero sense to me that this email (https://twitter.com/mtaibbi/status/1606701482308669440?s=46&...) would have anything to do with Hunter Biden's penis. The Twitter employee is clearly talking about feeling unable to not act on a pro-russian tweet even though they hadn't been able to support any action on it using Twitter's own policies.

The point is, the US government partially infiltrated Twitter, and then applied regular external pressure on it to applying badly defined policies against their targets.


Btw, I endorse all US influence operations run on any websites and think all of them are awesome. America #1, after all.

If you want Twitter to be upset about that one, you may have to get them to move to some non-aligned country. Maybe there’s some kind of Yandex Twitter? In the meantime, it’s probably against TOS insofar as it’s a spambot, but state media like VOA seem okay.


Well, how soon will it be until non-US aligned social media like TikTok is banned in the US anyway? The popular alternatives that you speak of may end up banned.

Also I don't understand why non-US citizens should be allowed to have their speech rights crushed by the US government. Many people of different nationalities live in the US and should be free to speak -- they shouldn't be censored by the US government wearing a glove ("US Tech Organisations") but effectively calling the shots.


If TikTok was banned that’d be disappointing. I don’t expect it to be; the plan where Oracle bought it was better. It is a problem that China influences it.

I don’t think the EU is capable of making a popular social media site either unfortunately. They don’t have the culture.

Twitter does have blatant Chinese propaganda up, like their wolf warrior diplomats and Chen Weihua, which is another good sign for what they’re allowing elsewhere. Maybe that’s just because Chen is so incompetent it’s funny to let him post…


> Twitter does have blatant Chinese propaganda up

Isn’t Twitter blocked in China? Do wolf warriors not see any hypocrisy in using it?


Why would they do that? It’s normal for Chinese export and domestic businesses to be completely different too - you can get all the Winnie the Pooh merch you want made there.

Not being hypocritical isn’t even a universal virtue.


It’s just extolling the virtues and freedoms of China on a platform that is blocked in China doesn’t really make one look sincere.


Or... you could just actually read the Twitter files?

You clearly have no idea what's in them judging from your comment...


There are a few responses people have found useful to misdirect and shut down conversation around this topic. Nothing burger, and the claim that it was about revenge porn, are strong signals that this is one such stock response.

It’s disappointing how the commenting postures surrounding culture war issues curtail curiosity, the spirit of inquiry more generally. A now naive-seeming but widely held assumption about the information revolution was that the instant availability of primary source material would lead to more informed public debate. It’s now apparent to me that knowing how you’re supposed to feel, and what others think, are more important— at the very least more useful— than any naive interest in trying to interpret the messy reality.


>There’s no right to post CSAM or revenge porn on the internet, so of course the FBI “drives the removal” of that, it is their job.

Why would the FBI be involved with anything related to revenge porn? Posting revenge porn is not a federal crime.

(Tangentially, it appears that there remain two states in which revenge porn is not a crime. Yuck.)


It’s not not their job to be informed about state crimes.

I don’t think it’s a crime to literally leave it up in the same way distributing CSAM is, but it’s evidence someone is committing a crime, which is a TOS violation most places as most sites don’t want to encourage that. And Twitter’s TOS is what Twitter cares about. Whether reports come in as emails or their annoying inefficient report form is not important.


"Retaliation" for some already public dick pics or what? "ThE tWiTtEr fIlEs" are a nothing burger story to attract more idiots to Twitter.


What, in the Twitter Files, is worth retaliating against?


Alleging the FBI and CIA are doing unconstitutional acts.


Slight correction: alleging Donald Trump's government was doing unconstitutional acts.

Which we know they did, in spades, in other contexts; but I've seen no evidence in the "Twitter files" to indicate anything illegal was going on in this context. The government briefed Twitter that they expected disinformation campaigns and to be on the lookout for them. The government also flagged a bunch of tweets as "hey, these are sus and might violate your rules, you ought to take a look" like anyone else can do.

Whatever Musk and Taibbi are trying to cook up, they seem to have forgotten who was running the federal government at the time. It wasn't Joe Biden or tHe LiBeRaLs. The whole thing is stupid.


Thanks for the correction, it’s an interesting point. In terms of CIA and FBI involvement, why didn’t he put a stop to it if he could? How would the censorship have benefitted him?

One thing I can’t get my head around is Twitter censoring joke accounts. Do you think it was because they were under so much time pressure that they erred on the side of trusting the Government suggestions?


>One thing I can’t get my head around is Twitter censoring joke accounts. Do you think it was because they were under so much time pressure that they erred on the side of trusting the Government suggestions?

If a joke account specifies it's a joke account in it's profile information, great. But that content doesn't get displayed when someone shares a tweet made by that account.

Now, think about how many times you may have come across something on the internet that was a joke, but also easy to misread as a serious comment. Such is the nature of a lot of online dialogue.

You've now got a tweet that can easily be (mis)read as truthful, being shared by people on their accounts who could insist to their own followers (who might not do their own due diligence and look at the joke account's profile to see that it's fake) that it's real, and voila, suddenly you've got a joke being used to spread misinformation.

I'm not defending Twitter or taking a side here, nor am I saying that's what happened. But it's a possibility that that's one perspective taken.


Can you please cite an example of an unconstitutional act that occurred in the Twitter Files?

And, who is doing the retaliating?


Censorship that violates the 1st amendment. I doubt that anything illegal happened, but that is the implication.

FBI or “OGA”


Also the US-army.


No one



Plot twist-Elon actually authorized the leak to create more drama-distraction / leverage: deceptive indication & warning.


He isn't that smart, and this won't help Twitter or him at all. It will further erode trust and possibly cause the stock to dip.


Thank you for that comment, Elon


Agreed. :p


I submit due to this and other compliance deadlines in Jan 2023 that Twitter will be filing bankruptcy in Jan 2023.

If you use twitter as an auth point for other websites you should switch now as a bankruptcy filing might also include a twitter site shut down.


There is a prediction market for the same but for entire 2023 instead of just Jan: https://manifold.markets/LeonardoKroger/will-twitter-file-fo...


I'll take that bet!

What odds you taking? I'll take 1:4 odds of bankruptcy in Jan 2023 up to £500 (e.g. I get £125 if it doesnt go bankrupt then and you get £500 if it does).


Everything is possible with that shitshow, but I doubt it.

But still, this is a very good reminder about using twitter as login somewhere else!


Wouldn't the receiver want to keep the site running to maximise the value when it's chopped up and sold for parts?


Hell yeah! I'm game what $$ will you go up to. I want a free down payment; we can get an escrow setup.


I'll take that bet. How much?


Why would they file for bankruptcy? Are they out of cash next month?


They never had large cash piles to begin with.

And now they’ve been saddled with debt whose interest is equal to about their annual revenues before 50% of their largest advertisers stopped advertising.

And they’ve certainly exposed themselves to massive FCC and EU fines.

I think Jan 2023 is way too early, but Twitter has a lot of financial footguns just waiting to go off.


This user could be easily larping.


I'll take that bet at 10k EUR and I'm dead serious.

Easy money.


If you're offering to bet randos on HN 10k euros, I don't think you are dead serious.

edit: oh god there are two more people doing the "Oh I'll bet! How much?" - I've seen this hundreds of times before. Someone states their honest opinion on here, and a handful of others chime in trying to goad them into staking money on it. When they obviously don't (because why on earth would they?) they get accused of being insincere, not being willing to stake "real" money on it (with perhaps the implication that they're small-fry, and do not have the means to do so unlike the wealthy, high-rolling proposer of the wager), or whatever. It's childish, nobody thinks you're cool and nobody believes you'd actually make a frivolous 10k bet with a pseudonymous person.


I would actually. There are online escrow services for that.

Also I didn't goad anybody into doing anything: they offered to bet and I took the bait (and then edited their post to remove the request for betting). Not the other way around.

If you're not willing to bet, then don't create a post on the internet stating that you're willing to bet? simple.


Eh I didn't see any offer to bet anything, but in any case if someone on HN says "I bet that XXX happens" then it's safe to say they don't mean "I will bet anything that XXX, name your terms and I will match them, otherwise I concede since you have bested me using logic!"

This is not a betting platform and tbh I think dang et al would get in trouble if it turned out HN was facilitating some form of gambling. In reality trying to make someone put money behind their predictions is a way to try to make them back down, look silly/small/cheap and as I said originally, it is childish. Don't do it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: