It's not just real email addresses, but this leak (if real) could have also de-anonymized a bunch of people if they were foolish enough to use their real name, or their email address that has this info
>The seller told me they scraped the data using the same set of weaknesses in Birdsite APIs that allowed the scraping (and publishing) early this year of profile data on 5.4M Twitter users.
Sigh... So many of the massive social media leaks are just people taking advantage of their publicly documented APIs.
I fear more services will stop providing public APIs and maybe even use constantly changing obfuscation like Snapchat and TikTok to make it harder to use their internal APIs.
Gee I sure love being forced to enter my phone number into every app I use so there is a nice big single point of failure that apparently can be taken from me with basic social engineering of phone company employees.
Ironically, this data dump could prove particularly useful for me.
I have a Twitter account for which I no longer remember the username, and have lost the password. It is, and has been for years, impossible to recover the account, because of a circular dependency in the lost password / account recovery form. I've been tweeting at Twitter Support for years with no avail.
Looks like I can just search this data for my email address and find out what the account name is.
The inclusion of Scott Morrison (ex Australian Prime Minister) as "ScottMorrisonMP" instead of "ScottMorrisonPM" could date things to after 23 May 2022 (when he was voted out of office).
This really shows the importance of apples hide my email feature. I’ve been using it where ever possible. However, I think I might go back through my online accounts and make sure I’ve got it setup. Generally, my phone number has been with spam centres for a while now. I’m not changing it, because it’s so much friction to change it. Right now, I hardly ever take calls because of the massive spam influx. I’m not sure getting a new number will fix this because they cycle numbers and you may just get the spam from a different person. Right now my phone is pretty good at blocking most spam I get through the phone. Not sure how it does this..
Unrelated, but I had no idea how bad spam calls were until moving to Canada I had a total of maybe 5 spam calls in 30 years in Belgium. Meanwhile I get 5 per week in Canada. Absolutely insane :/
Your experience in Belgium is similar to what people describe when living in Germany. Apparently, the fines for telcos are insane when spam calls occur. So there is a strong incentive to prevent. Is it similar in Belgium?
I don't know what the exact mechanism is in Germany, but it works. The only unwanted calls I get maybe once every couple months is random British headhunters who probably got my work number from an email signature or another professional contact some way or another. Otherwise, spam calls just aren't a thing here.
Yeah, but the problems isn't anymore local businesses spamming you. It's foreign people calling, most often with a spoofed local number that the telcos somehow "can't" figure out is not really calling from a different country when the sim was active just a minute ago locally.
Depending on your phone provider you can activate a feature that challenges the caller to solve a small problem before connecting the call.
TELUS calls it “Call Control”, and all its subsidiaries offer it. The major phone providers offer it too. It is the only thing I miss from my old TELUS plan.
Interesting solution! I’ve never heard of this but it makes sense, like a captcha for phone calls. I’m in the US and have had to stop answering my phone thanks to 2-3 spam calls per day.
The real answer is for the phone companies to use a protocol that doesn’t allow easy spoofing of any phone number (I believe one has been proposed but not adopted). Hilariously, I even have a medical provider app called Doximity that abuses this network ‘feature’ to disguise a doctor’s personal cell phone as the phone number of their medical clinic.
Even better, outside of the illegitimate ones, if your role is at all applicable, Oracle sales reps will essentially love bomb you on a never ending basis and because their turnover is so high, you get a barrage of calls on any given day of irrelevant things. Honestly I wish the phone “app” didn’t exist. If it’s some you interact with a lot it’s very unlikely an unannounced phone call is what they’d go with.
I don't get why this is the case, surely there must be a huge majority that hates those calls and wants them to stop? Is there some sort of political lobbying that prevents effective laws from being passed?
That doesn't help offshore call centers dialing to you over VOIP. Different jurisdiction and difficult trace means almost no accountability. That's the problem in the US, plus our congress is of course, the best one money can buy.
Mine seem to come in waves. I haven't gotten any, or Google hasn't let any actually ring my phone, in a few days then there will be days with a half dozen.
But I did stop getting so many spam calls in recent months, so I assume ATT or other phone service providers in the US have enabled some type of anti spam measure.
Yes, also from Canada it’s absolutely the worst. I came from the Netherlands, and it’s absolute world of difference. The telcos need to resolve this at a system level and get rid of these call centre software solutions. However, I’m sure Telus/Bell/Rodger are all get lots of money from all these calls so no incentive to stop them.
Can’t help but think that at some point people made the wrong decision along the way.
I would not put any faith in the Canadian telcos at this point. They feel quite outdated, charging insane prices for subpar quality service. (From my experience with Bell and limited Rodger experience).
There are many things they could improve on and I think dealing with spam is probably low on their list.
They used to have the concept of 'airtime' that you paid for, is that still the case?
The effect was that spam calls directly benefited the telcos at the expense of the person called if they answered the call.
I've lived and worked in Canada for many years, the longer I was there the more the outward shine wore off and eventually I just saw it as a loosely collected set of monopolies with the state backing them filtering every dollar from Canadians that they could get their hands on.
One trigger here was creating an account in a particular bank. Seems to be breached. Unfortunately Canada is a captive market, we don't have much choice.
Unrelated but related: I live in the U.S. and get about 1/week now, down from about 1-2/day a year ago. Using iPhone XS Max (2018) & latest iOS (always promptly updated).
I always hit "Block this number" option before deleting.
Phone company (AT&T) labels some in red as Spam; Apple does the same.
Mandated SHAKEN/STIR seems to have been huge. I also used to get about 1/day, now it's 1/week and it doesn't even ring - my Pixel just gives a notification that I missed a call from a known shady number.
I know no news site will ever get clicks from "Competent Government Helps Solve Real Problem", and I know we're not 100% there, but it was genuinely a leap forward and people should talk about it more.
My strategy is to answer every call but remain silent. 9/10
times they hang up after 2 seconds. The remainder are 50/50 real calls and manual spam calls. My assumption is that the robo dialers are recording the success or failure, and if you answer quickly but stay silent, that's some kind of failure. I've done this for a few years and I feel like I get less spam than I used to. Looking at my call log, it looks like I've had less than 5 spam calls in December.
More effective would be to have a button I can tap in the phone app labeled "waste this person's time", which would automatically attach the caller to an AI designed to maximize the amount of time the caller wastes on each call.
I once made a website where you could enter two phone numbers on. It would call A with B’s caller ID and B with A’s caller ID. After the call it would send an sms/call from the service explaining what happened and they could consent to release the recording for the pranker to listen to.
It was funny to have Pizza Hutt and McDonald’s both think they’d called each other. Or two people standing right next to each other.
I nearly got in quite a bit of trouble when someone pranked two high level people in the military, and they decided to have a conversation they probably shouldn’t have had on personal cell phones.
It was fun while it lasted… but I wonder if something like this could work for spam calls. Basically instead of forwarding to voicemail, have it route to some pre recorded messages you make “yeah” “hello” “I didn’t hear that, can you say that again” and loud background noises playing. Then it can send you the recording as your “voicemail”. Could be fun.
If you hide your email but can't hide your phone number and companies like twitter or google will not let you create an account without, that does nothing to your privacy.
For anyone not using Apple devices, DDG has email generation built into their browser plugin. I'm not sure if it's in their broswer app, but I'm sure they will add the feature.
I feel like it’s already doing this but I’ve set it up in a weird way. I’ve changed my notifications to make a sound when it’s from my contact list ( or can be found in a footer in an email inlever received) and else it will be silent.
I hardly ever get an unknown important call that doesn’t fall in those categories. This has me not picking up the phone for spam calls, but I hardly ever miss an important call.
There are other things I’ve setup that I don’t want to go into because they can be solved by the spam callers and I’d like to keep it a secret ;)
So you’re saying Apple AND dozens of other companies, most of those with worse security, having my email address is JUST AS BAD as ONLY Apple having my email address?
Hmm if i made a twwitter account 7-10 years ago (iForgot when exactly, haven't used it in ages) did they require a phone number then, or it only leaked my email which is already leaked anyway?
Edit: thanks, all the reasons listed to give them a phone # dont apply to me so Im safe
Thy have never required a phone number for account sign up. So unless you either a) used it as a form of 2FA, b) you got put into a “time out” for what ever reason and Twitter required a phone number to unlock the account, you didn’t have to give them your number.
For many years now, twitter automatically shadowbans new accounts if they did not supply a phone number during sign up. This is of course just a ploy to collect phone numbers. The reason they give for the ban is is that their terms of service have somehow been violated, even if the account has never posted anything, but the violation magically goes away if you provide a phone number. In the past, you could also write a mail to some support email address, but that took a few weeks even before most twitter employees got fired.
Twitter has an extremely nasty dark pattern for accuiring your mobile number.
So much so if you pay and use a temporary number from services like OnOff. Twitter cleavely detect this and never sends you a verification code.
You need to use a number that is likely tied into a major phone network, most people will do this, as for the privacy conscious like me I had no way of circumventing the measures Twitter had in place at the time. It was very frustrating.
Well as of late even big providers are not sending verification codes. My main has a number attached to it (for api reasons), but the other day I needed to log in on my freshly reinstalled laptop and choose phone as my 2FA device was in another room as I was being lazy, and I never got the code even though I must have validated it in the past.
It was around the time that Elon tweeted out something about telcos sending out spam sms in twitters name.
There was a bug for a while (not sure how long) when account signup with email didn't work. It was going through fine but after everything was set up, you couldn't continue without phone number and it would not activate your account. I'm not even sure if it was a bug or just a test how many people would continue?
This is why I dont register with real data ever anywhere.
They do not need my email or phone number for anything but they will store it and likely are not capable of protecting it more than a few years.
If it serves a purpose then that's a different thing and must be evaluated case by case. But if it serves you nothing then just dont enter your real data ever.
I know this was from before the takeover. But this is only going to happen more now that the remaining staff at twitter are overworked and burning out.
Look at the users comment history, literally the whole first page is only him nonstop defending musk in different threads. Wish I could post that pic of weird nerds protecting elon and his companies from valid criticism
There's a difference between defending Elon and calling out bullshit. There's plenty of legitimate reasons to criticize Elon. Making up things that are entirely unsupported by evidence, and with strong evidence to the contrary, is tremendously exhausting to read all the time - so yes, I comment and point it out.
An 80 hour work week is over-work and will lead to burnout.
I'm not sure what evidence you're looking for, you can take Elon at his own word that he is expecting the remaining employees to shoulder significantly higher burdens than normal. You don't build bedrooms inside of an office when your employees have a healthy work-life balance.
Also if you want to verify the data is legit you can pick a random verified user and try to send them $25 with Venmo. It will ask you to confirm their phone number. Sure looks legit to me though.
There's a simple zero knowledge proof to show that you actually have the data. Have a CSV of username + salt + hashed(salt + email) + hashed(salt + phone number) , etc.
Users can check their own email/phone/etc to verify that the attacker has the data, without the attacker revealing the data.
I am guessing that this was relating to certain individuals having Hotmail accounts, rather than more official sounding email addresses? I won't repeat any addresses here, but it did strike me as odd too. Hell even I have a @mylastname.org email address and I'm a nobody.
Having an email address at your own domain is incredibly risky for most people - because it requires them to reliably renew that domain name every year for the rest of their lives.
FUD - No it doesn’t. Just renew it every 10 years or whatever max renewal is available. Absolutely no requirement to do it every year. You will also get multiple minders and grace periods if you forget too.
That’s not to say ‘most people’ should have their own domain, but renewal is one of the least tricky aspects of domain ownership.
So there is a risk to some extent - if you forget to renew and ignore any reminders you receive you'll lose your domain and access to anything attached to it. But that's like saying you shouldn't get a mortgage and buy a house, because if you stop paying your mortgage at some point and ignore your bank's increasingly anxious and strongly-worded letters then you'll lose your house.
A lot of the sample phone numbers seem to be some dummy number "+0000 2009". Is that a secret way around phone number requirement for twitter accounts?
That’s just a date value, “+0000” means UTC and 2009 is the year. If the value is in the phone field, might be a glitch or hidden value stored in the phone field that has a meaning that is undocumented; for example that the account was created prior to the phone field being added, though that seems unlikely, since my understanding is Twitter started out as phone-based.
You used to be able to sign up with just an email address then they started forcing phone number verification by lying and saying they caught your account acting like a bot so you needed to verify you’re human using phone number (you got the message even if you did nothing or just followed a few people, total lie)
Point is that generally speaking databases rarely delete fields once added, especially field as valuable as a phone number; as such, my assumption is Twitter has had a field in their database for a user’s phone number since it was first released.
Twitter’s been collecting phone numbers since at least late 2006:
So what you are saying is that when they started they required phone numbers? As in, what the commenter I was replying to wrote was not true? The 'footnote' in history seems pretty important when the whole point is that ignoring it leads you to assume things that are wrong.
I’ve done something similar and my guess is they preformed a migration in 2009 and didn’t want to force current users to provide phone numbers so they used the default value as a placeholder/note that reminds them to special case these users who were grandfathered in under the old rules.
From a cursory look the 1000 sample names seems legit, if it’s fake they at least did research to get plausible area codes for phones and some plausible domain names for some celebrities email addresses.
1) I've seen s lot of leaks being ransomed by hackers and hacker groups before and this post seem a bit amateurish (terms, payment, reference to GDPR, name calling Elon etc)
2) That's not how GDPR fines work (the numbers referenced in the post regarding 400m users). The previous fines were given because of the lack of notifying the EU regulators. Not because of the size of the breach. If Twitter is only made aware of this leak now, they can send the reports now and then work on their internal investigation and no fines will be given.
To whom ? For some on the list it could be worth their life. To a hypothetical buyer depends on how effectively he can exploit/resell the data.
I suppose you mean how much it could be sold for ? The easiest/safest buyers is probably the company itself paid for by their insurance policies. Such policies will likely cover ransoms in the millions.
However with the current Twitter management it probably won't work, Musk may even not be paying the premiums given that he is not paying office rents or more likely be unwilling to negotiate .
For any other deal it is depends a lot on the seller and buyer. You wouldn't want to be drinking polonium after driving hard bargain with the Russians after all.
I may be wrong, but I believe this is information that was already available to you using the API. The only difference being that they have downloaded all the data and compiled it into an easy to use CSV. So I could see a lot of small-time spammers wanting a copy, but I don't see it being terribly valuable, like actual privative data might be.
I believe this is not correct. You are definitely not able to get random people's (including government officials) phone numbers and email address using the API.
Leaker probably wanted to prove it's not just US accounts.
It's pretty easy to google "big India twitter accounts" or "big China twitter accounts" - there is a China newspaper on the list, a France Gov agency, ...
I'm happy I haven't given in and didn't agree to hand them over my phone number, in spite of all grey patterns they used. In the end, I just consume Twitter, and for that Nitter is not only enough, but far superior than the original.
This reminds me of how some people these days don't publish an email address on their website, but rather a twitter handle, expecting you to send them 'direct messages' them.
If this db contains phonenumbers everyone has effectively been doxxed. All sites requiring phonenumbers should be outlawed or get shut down if they have any breaches, this is potentially a privacy catastrophe and potentially dangerous for thousands of individuals.
Your comment still doesn't make any sense. Either you want the highest verification tier and go with phone verification, or you don't. It's your choice as admin. As a user you can just delete the phone number from one account and use it to verify another... you will have a timeout [2] but both accounts will be verified. Is it annoying? Yes. Is it understandable to rate limit it? Yes. Is it impractical? No.
I can't remember why but I had to switch my phone number from my personal discord to my work discord, either to get it to allow me to login from my iOS Discord or something else asinine. I remember it took me maybe 40 minutes to get into the thing, haven't seen anything like it.
They're weird about it, sometimes you have to and sometimes they never ask. It's not like Twitter where you can use the site for an hour before they force you to verify. They probably do it so people will say what you said when people point out the problems with it.
Twitch requires your phone number to a) become verified (because apparently paying them every month for 5 years is not a verification) and even dumber, b) to enable TOTP.
And people on the Twitch subreddit insult you for even questioning this issue, even after they had a data leak. And yes, that's a majority opinion over there.
Some communities (fandom is probably a better word) are more like cults of personality than actual communities.
Given the fannish nature of Twitch and its audience in general, this level of almost religious fanboying and "how dare you question the Gods" mentality is very familiar (my teens and 20s were spent in fandoms - first anime, then comics, then furry).
I've seen this in every single one of them to some extent, but especially furry and Twitch. It's sad, because -- as they, sunlight is the best disinfectant -- and all this does is block the sunlight and discourage people from talking about issues.
Both twitch and YouTube's subreddits aren't moderated by staff, but by random tryhards. If they don't like you, you're banned. Reminds me of Wikipedia.
Reminds me of furries, and a lot of other fandoms actually.
A: "Hey I had a problem at the con this weekend"
B: "How dare you talk about that, that's DRAMA! Take your DRAMA elsewhere, LLAMA. I'll have you know the guy who runs ConWeekend is my best friend! You're Banned for life! Long live ConWeekend! And here's that Japanese BANNED meme video to play you out! HAHA I SAVED THE FANDOM!"
You don't sign into a website forcing you to give them your real phone number if you fear being doxxed. How can anybody feel "anonymous" at that point?
I put a fake phone number into Twitter and a throwaway email. Got a few complaints about not having verified my number, then got banned for breaking the rules.
“Your account is permanently suspended
After careful review, we determined your account broke the Twitter Rules. Your account is permanently in read-only mode, which means you can’t Tweet, Retweet, or Like content. You won’t be able to create new accounts. If you think we got this wrong, you can submit an appeal.”
I can’t even follow anyone, but at least I can read tweets.
As I tweeted nothing nor indeed followed anyone all I can assume is that you have to have a real phone number to sign up.
Maybe you don’t but plenty of people do. There’s a huge middle ground of people who aren’t aiming for “anonymous” and who aren’t doing professional opsec, but still expect not to have their pseudonymous online identities linked to their real-world-identity phone number.
Companies know that people think like this nowadays, so they only require the phone number after you are already invested into the service. Twitter had this where they would allow you to not set phone initially, but then ban you some time later and require it to lift the ban. Microsoft also bans you for “suspicious activity” and the only way to unlock account is to “verify” your number. You can only contact them about it via another ms account or… by phone. Fuck everything about this tbh.
For everyone to know, Instagram does this too in a way. They would let me sign up with just an email, verify it, then at first login auto ban me. Giving me the option of appealing and tracking said appeal by giving them a phone number.
The only way I could resolve it was by using a phone number. Meanwhile they've harvested 2-3 of my anon and temp emails.
Twitter doesn't require a phone number anymore. You can use it via the website or a mobile app. I have a an account from 2014 and it does not have a phone number associated.
I then did not use it, for something like a month.
I posted - and the account was suspended, I was emailed, "you have violated our T&C, please provide your phone number to validate your account".
I may be wrong, but to my eye, they were attempting by deception to trick and force users into handing over their phone numbers.
I explained I had no phone number, and I had not posted at all, so it was hard to see how I had violated the T&C, and the account was unfrozen, and has been fine since then.
> Twitter doesn't require a phone number anymore. You can use it via the website or a mobile app.
You used the word ”anymore”.
Obviously, you are implying that Twitter required a phone number in the past, but because you did not specify the time of the change, we must assume. It could be that phone numbers are not required since an hour ago or a year ago.
Regardless, if it was a requirement, chances are high that a good portion of the 400+M users in this (supposed) data breach were encouraged to share their phone number with Twitter.
Not to dismiss your contribution but if you have to write ”anymore” I don’t see the point of your comment.
I don't know if something has changed recently but at least as of 2016 when I signed up for a new account, I got immediately placed on a suspicious user list and had to use a phone number to prove I was a human. It was just a prepaid cell phone number that I don't even remember anymore so I don't know how it helped anything but yeah.
I suspect twitter did this to pretty much everyone.
Twitter originally was done via SMS, that's why status lengths were limited to 140 characters. So, obviously you needed a phone number when it first started.
> Twitter originally was done via SMS, that's why status lengths were limited to 140 characters. So, obviously you needed a phone number when it first started.
This isn't what we are talking about. We are talking about requiring users to "prove they are human" by giving Twitter a phone number and then entering an authentication code that they text to that number.
It doesn't accomplish anything because I can get a new SIM card and a month of "unlimited" talk and text prepaid service for about USD 20(?). I didn't think of it much but looking back it is clearly a data grab.
> And for once it’s the people in power that are going to be disproportionally affected
Seriously? The people in power probably have many, many phone numbers, and getting a new one is not such a big deal.
Getting a new phone number is a much bigger deal for people not in power, and so are the possible negative outcomes from this (e.g. revealing the hidden identity of stalked or politically prosecuted individuals who are not in positions of power)
That's a good point. Perhaps a weaker claim is just the idea that people in power (or more generally, people of influence) are as likely to have skin in the game, which can only drive engagement on the issue. That's different to many issues for which those in a position of power are often less affected directly.
Pretty sure this comment is related to that recorded teleconference Elon joined to let everyone know that if you dox, even if you tweet about someone else doxxing and link to them, you're banned.
As others have mentioned, the time range of when the data was scraped seems to be end of 2021 to start of 2022, maybe into mid 2022. If correct, that was certainly before Elon Musk took over, probably even before he made his initial offer.
Same, I need to know if I should enter damage control mode and deflect this from Elon or if to simp for him if this happened before. Very important information
It's interesting how celebs use just their plain names @ gmail.com as the username, just like most people. Wait, celebs are people too I guess, right? Ha ha....and I saw one even adding their birth year at the end of the username/email, or just the 2 digits. That became a thing especially for early 90's kids. I did it, and I still see many with that, and I cringe. Like, please realize you are giving your birth year away and that should remain private.
I think that makes the reference class "Buy Saint Vincent and the Grenadines, yes the country, to gain control of the TLD that this forum is hosted on".
Probably cheaper than Twitter, Saint Vincent and the Grenadines' GDP[0] is about half of SpaceX's revenue.
[0] yes I know that's not the same thing as "net worth", and also countries are not generally for sale, despite things like the Alaska and Louisiana purchases.
I was excited about Musk buying Twitter and his supposed free speech agenda. Yet lol free speech when it only suits him as well the constant changing his mind and broken promises. I once again deleted Twitter off my phone.
If this hack is true Musk buying Twitter shows he is no genius or ever was. He's just another ego maniac Trump type which the majority of the public is tired of
> Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source
Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively,
Paying the criminals wouldn't help here. First, there is no guarantee that they wouldn't release the data anyway, second, the data already got leaked - criminals who were responsible for it have access to it, third, they publicly posted the information they have access to it.
Instead, the proper solution is after verifying legitimacy of the leak to immediately (within 72 hours) notify supervisory authority and users about personal data breach according to Articles 33 and 34 of GDPR.
They can be breached and in compliance with GDPR. Basically you need to do 'best effort', avoid holding on to data you do not need (data required for verifying logins, password recovery would typically be 'data you need') - and report breaches to the authorities and end users.
The GDPR does not make impossible demands like "never have a security breach".
If real, some people may basically face the death penalty in countries like Iran with the current situation. Anyone with anti-regime content and identifiable attributes in the leaked database is very stressed now.
Would users from those countries even be able to use their local phones for verification?
I would have assumed any kind of banned interaction with the USA’s baddies list countries (e.g. Iran, Syria, or North Korea) would apply to allowing users to sign up with phone numbers as well.
Though I guess there’s always cross referencing known contacts of expats and dissents.
True, also enabled by state actors apps/servers like Palantir.
For recovery and nonrepudiation purposes, storing a salted hash of the phone number would be the wiser course. If using SMS for notification, services like Twitter should have API callbacks and delegate the problems of multi-platform notifications to a trusted third-party similar to credit card processing.
A salted hash of a phone number is both useless and pointless.
You can easily brute force the narrow key space if you’re trying to verify if it’s “known”. And if you want to send an actual message you need the full value.
Sounds more like you want to outsource user verification and receive an opaque token for future validation.
Can't brute or rainbow table a salted HMAC, even if the keyspace were 10^10-10^13 because 1. nonces and 2. sufficient number of iterations, mem/cpu/gpu/asic-hard, scrypt-style.
You could turn the verification around. Instead of texting a value to a phone number and asking you to toe it in, you say “Text this number to 40404: 123456”
Then, wait until someone texts that number in, and salt/hash the caller ID number and compare it to what you’ve got stored. If there’s a match, then you’re authenticated.
Probably lots of issues with this from ux perspective…
I think the main problem is that SMS sender numbers can be easily spoofed (might depend on country, operator, …), so relying on “this message came from where it says it came from” is not really possible.
It might not be an issue for some types of usage, but sounds risky if used for account security/recovery/etc.
Why not just have the user enter their phone number? You only store a hash of it and only verify whether it is indeed the one they registered with, and use the real one only for the duration of sending an SMS.
Not too secure, as phone numbers are easy to crack (possibly with randomized salt, that even twitter has to “brute force”?), but at least not every entry will be easily readable.
The strawman of using the date of breach here is asserting that the breach was in response to another event.
Timeline of releasing the breached data can be correlated with another event, but the date that they obtained the loot is irrelevant. They could have simply purchased this from an unknown 3rd party themselves. We simply don't know.
It does matter, because it represents the difference between two different scenarios that don't have the same chance of occurring:
1. The FBI/CIA hacked Twitter and leaked their database in retaliation for the "Twitter files"
2. The FBI/CIA hacked Twitter (or someone else did and they obtained the data) back in early 2022 (for an unknown reason), and are now leaking the data in retaliation for the "Twitter files"
It’s moot anyway, since they can always filter their stolen databases by potential methods of exfiltration, so the dump looks like it only used a certain vulnerability.
All we know for sure is that someone is attacking Twitter via blackmail via hacking just after Twitter released bad PR for some of the worlds most powerful hacking organisations.
All the skeptic comments in this thread seem to worry about the veracity of the claims, but that’s irrelevant to the question of would FBI/CIA retaliate.
The “Twitter Files” showed Twitter was actually doing a better job at being balanced and fair than I thought they were. It’s embarrassing that anyone who read those threads came away thinking this was proof Twitter was doing evil things.
The irony of the Twitter Files, which showed Twitter leadership going through a painstaking process of determining what sort of actions they would take and the impacts in both directions of taking vs not taking an action, before coming with a decision, being released at the same time as ElonJet was banned, with a post-hoc made up BS policy of banning “doxxing” (which ElonJet wasn’t, by any definition of the word), followed by an arbitrary decision to ban certain 3rd party links with that arbitrary decision then being arbitrarily partially rolled back (?), was way too ridiculous.
The FBI and CIA were driving the removal or soft-censoring of speech that the US government didn't like. People spent a lot of the last decade saying that this never happened and that Twitter was just a private company operating on their own, instead of being the censorship arm of the government and in many cases staffed by ex-government...
Also, I wouldn't call Twitter's original moderation fair or balanced. There were clearly voices within who thought they were trying to fit policy to decisions they'd already made post-hoc. (Unfortunately if anything it's even worse now.)
> The FBI and CIA were driving the removal or soft-censoring of speech that the US government didn't like.
There’s no right to post CSAM or revenge porn on the internet, so of course the FBI “drives the removal” of that, it is their job.
I’ve done legal compliance for this elsewhere, I have turned down government requests without being persecuted in return, and I know for a fact Twitter’s previous administration was one of the most aggressive at fighting back here and put a great deal of legal effort into it. Example of a more cooperative response would maybe be Amazon Ring.
There’s also no right for foreign intelligence ops to post on US social media so of course the CIA has opinions on that, it’s their job. Etc.
(Current example of this one: a Chinese group is flooding Twitter search for different Chinese city names with ads for sex workers, to block people searching covid news.)
All these things happen under the rule of law, not random emails. If you don’t like it, change the law. I don’t know why you’d want to do that though.
I agree people might’ve said something other than this, but those people are amateurs and are wrong; talk to the EFF if you actually need advice here.
Why are you bringing up CSAM or revenge porn when the material and accounts referenced by the Twitter Files were ones that post content that was misaligned with the geopolitical goals of various US government organisations?
No, Taibbi is just lying. You can look up the deleted posts on archive.org and they’re pictures of Hunter Biden’s penis, which I will not link.
Some of them aren’t; these are mistakes. law enforcement can report posts the same way anyone else can, and if they report the wrong ones you can ignore them. They don’t have special powers. It’s fine.
(Also, Taibbi moved to Russia in the 90s, assaulted underage women, and publicly wrote about it in his publication the Exile. This is also a kind of bias.)
I think Elon literally hiring a Russian sex criminal to release his news for him is a considerably more notable thing than an ad hominem attack! It’s not like he was the most natural choice. (Not intended as an ad hominem on Elon, who has more than enough problems. Literally I don’t know why he did it.)
He could’ve just had Bari Weiss release everything. (Weiss has, in the meantime, been unfollowed and presumably fired as Elon’s journalist because she tried to mildly criticize him once.)
I did some additional research into this Taibbi person, and in addition to being a Russian sex criminal, it turns out he's done some work as a journalist. I think that might have something to do with why Elon chose him to release the news.
I promise in the real world it is perfectly sensible to not trust a person on any topic if that person is a Russian sex criminal. Journalists interpret events and are not beep-boop robots printing out emotionless lists of facts. You can find a different journalist!
There are a group of people releasing the Twitter Files. Are we going to name call them all as sex criminals? Were any even found to be guilty by a court or are you simply applying dirty tricks? And how is that relevant to the truth of the content? Are you going to respond to me telling me that at the root of this is Hunter Biden's penis?
No, only Taibbi is. I think there’s a third guy but can’t say I know anything about him.
But this is something in the real world, not a logic puzzle, and unfortunately in the real world you actually do need to consider the context of everything using all available information. I mean, you going “this guy is just coincidentally a sex offender” is not the common man on the street’s response, and most journalists are literally not sex offenders.
I don’t know what Elon is doing. He’s of course extremely compromised by multiple governments, I mean he owns SpaceX and a Chinese Tesla factory, and Saudi Arabia (who’s planted spies at Twitter before) is a major investor now. I also suspect Elon doesn’t know what he’s doing, though.
I think you should apply the same criticism and context to your own posts, which literally consist of trying to link information to sex crime in order to attempt to change the conversation.
You have effectively moved the conversation from 'the FBI requesting removal of illegal content' is completely different from'the FBI is acting to enforce censorship of protected speech with twitters willing compliance' to 'is the journalist being an alleged sex criminal relevant'. So lets all stop that line and go back to 'regardless of anyone's past activity raping peoples, you are wrong.' Retort?
The context and text within the emails doesn't match what you just wrote and from what I've seen there were 1000s of deletions -- not only of Hunter Biden's penis as you imply...
It makes zero sense to me that this email (https://twitter.com/mtaibbi/status/1606701482308669440?s=46&...) would have anything to do with Hunter Biden's penis. The Twitter employee is clearly talking about feeling unable to not act on a pro-russian tweet even though they hadn't been able to support any action on it using Twitter's own policies.
The point is, the US government partially infiltrated Twitter, and then applied regular external pressure on it to applying badly defined policies against their targets.
Btw, I endorse all US influence operations run on any websites and think all of them are awesome. America #1, after all.
If you want Twitter to be upset about that one, you may have to get them to move to some non-aligned country. Maybe there’s some kind of Yandex Twitter? In the meantime, it’s probably against TOS insofar as it’s a spambot, but state media like VOA seem okay.
Well, how soon will it be until non-US aligned social media like TikTok is banned in the US anyway? The popular alternatives that you speak of may end up banned.
Also I don't understand why non-US citizens should be allowed to have their speech rights crushed by the US government. Many people of different nationalities live in the US and should be free to speak -- they shouldn't be censored by the US government wearing a glove ("US Tech Organisations") but effectively calling the shots.
If TikTok was banned that’d be disappointing. I don’t expect it to be; the plan where Oracle bought it was better. It is a problem that China influences it.
I don’t think the EU is capable of making a popular social media site either unfortunately. They don’t have the culture.
Twitter does have blatant Chinese propaganda up, like their wolf warrior diplomats and Chen Weihua, which is another good sign for what they’re allowing elsewhere. Maybe that’s just because Chen is so incompetent it’s funny to let him post…
Why would they do that? It’s normal for Chinese export and domestic businesses to be completely different too - you can get all the Winnie the Pooh merch you want made there.
Not being hypocritical isn’t even a universal virtue.
There are a few responses people have found useful to misdirect and shut down conversation around this topic. Nothing burger, and the claim that it was about revenge porn, are strong signals that this is one such stock response.
It’s disappointing how the commenting postures surrounding culture war issues curtail curiosity, the spirit of inquiry more generally. A now naive-seeming but widely held assumption about the information revolution was that the instant availability of primary source material would lead to more informed public debate. It’s now apparent to me that knowing how you’re supposed to feel, and what others think, are more important— at the very least more useful— than any naive interest in trying to interpret the messy reality.
It’s not not their job to be informed about state crimes.
I don’t think it’s a crime to literally leave it up in the same way distributing CSAM is, but it’s evidence someone is committing a crime, which is a TOS violation most places as most sites don’t want to encourage that. And Twitter’s TOS is what Twitter cares about. Whether reports come in as emails or their annoying inefficient report form is not important.
Slight correction: alleging Donald Trump's government was doing unconstitutional acts.
Which we know they did, in spades, in other contexts; but I've seen no evidence in the "Twitter files" to indicate anything illegal was going on in this context. The government briefed Twitter that they expected disinformation campaigns and to be on the lookout for them. The government also flagged a bunch of tweets as "hey, these are sus and might violate your rules, you ought to take a look" like anyone else can do.
Whatever Musk and Taibbi are trying to cook up, they seem to have forgotten who was running the federal government at the time. It wasn't Joe Biden or tHe LiBeRaLs. The whole thing is stupid.
Thanks for the correction, it’s an interesting point. In terms of CIA and FBI involvement, why didn’t he put a stop to it if he could? How would the censorship have benefitted him?
One thing I can’t get my head around is Twitter censoring joke accounts. Do you think it was because they were under so much time pressure that they erred on the side of trusting the Government suggestions?
>One thing I can’t get my head around is Twitter censoring joke accounts. Do you think it was because they were under so much time pressure that they erred on the side of trusting the Government suggestions?
If a joke account specifies it's a joke account in it's profile information, great. But that content doesn't get displayed when someone shares a tweet made by that account.
Now, think about how many times you may have come across something on the internet that was a joke, but also easy to misread as a serious comment. Such is the nature of a lot of online dialogue.
You've now got a tweet that can easily be (mis)read as truthful, being shared by people on their accounts who could insist to their own followers (who might not do their own due diligence and look at the joke account's profile to see that it's fake) that it's real, and voila, suddenly you've got a joke being used to spread misinformation.
I'm not defending Twitter or taking a side here, nor am I saying that's what happened. But it's a possibility that that's one perspective taken.
What odds you taking? I'll take 1:4 odds of bankruptcy in Jan 2023 up to £500 (e.g. I get £125 if it doesnt go bankrupt then and you get £500 if it does).
And now they’ve been saddled with debt whose interest is equal to about their annual revenues before 50% of their largest advertisers stopped advertising.
And they’ve certainly exposed themselves to massive FCC and EU fines.
I think Jan 2023 is way too early, but Twitter has a lot of financial footguns just waiting to go off.
If you're offering to bet randos on HN 10k euros, I don't think you are dead serious.
edit: oh god there are two more people doing the "Oh I'll bet! How much?" - I've seen this hundreds of times before. Someone states their honest opinion on here, and a handful of others chime in trying to goad them into staking money on it. When they obviously don't (because why on earth would they?) they get accused of being insincere, not being willing to stake "real" money on it (with perhaps the implication that they're small-fry, and do not have the means to do so unlike the wealthy, high-rolling proposer of the wager), or whatever. It's childish, nobody thinks you're cool and nobody believes you'd actually make a frivolous 10k bet with a pseudonymous person.
I would actually. There are online escrow services for that.
Also I didn't goad anybody into doing anything: they offered to bet and I took the bait (and then edited their post to remove the request for betting). Not the other way around.
If you're not willing to bet, then don't create a post on the internet stating that you're willing to bet? simple.
Eh I didn't see any offer to bet anything, but in any case if someone on HN says "I bet that XXX happens" then it's safe to say they don't mean "I will bet anything that XXX, name your terms and I will match them, otherwise I concede since you have bested me using logic!"
This is not a betting platform and tbh I think dang et al would get in trouble if it turned out HN was facilitating some form of gambling. In reality trying to make someone put money behind their predictions is a way to try to make them back down, look silly/small/cheap and as I said originally, it is childish. Don't do it.
It's not just real email addresses, but this leak (if real) could have also de-anonymized a bunch of people if they were foolish enough to use their real name, or their email address that has this info