Hackers Scrape 90,000 GETTR User Emails, Surprising No One

Just days after its launch, hackers have already found a way to take advantage of GETTR's buggy API to get the username, email address, and location of thousands of users. Motherboard reports: Hackers were able to scrape the email addresses and other data of more than 90,000 GETTR users. On Tuesday, a user of a notorious hacking forum posted a database that they claimed was a scrape of all users of GETTR, the new social media platform launched last week by Trump's former spokesman Jason Miller, who pitched it as an alternative to "cancel culture." The data seen by Motherboard includes email addresses, usernames, status, and location. One of the people whose email is in the database confirmed to Motherboard that they are indeed registered to GETTR. Motherboard also verified the database by attempting to create an account with three email addresses that appear in the database. When doing that, the site displayed the message: "The email is taken," suggesting it's already registered. It's unclear if the database contains the usernames and email addresses of all users on the site. Alon Gal, the co-founder and CTO of cybersecurity firm Hudson Rock, found the forum post with the database. "When threat actors are able to extract sensitive information due to neglectful API implementations, the consequence is equivalent to a data breach and should be handled accordingly by the firm and to be examined by regulators," he told Motherboard in an online chat.

Well, to be fair...

[fahrbot-bot]

Hackers Scrape 90,000 GETTR User Emails, Surprising No One

The people at GETTR were probably surprised (otherwise they knowingly and willfully put deficient code online) ...

Re: Well, to be fair...

[maybe111]

I just registered... first time I heard about it.... thanks to the leak

Good point!

[SuperKendall]

I just registered... first time I heard about it.... thanks to the leak

For online services all news is good publicity! Just look at the success of Twitter and Facebook where you would have thought a company would be wrecked ages ago by bad publicity...

Re:

[Ol Olsoc]

I just registered... first time I heard about it.... thanks to the leak

For online services all news is good publicity! Just look at the success of Twitter and Facebook where you would have thought a company would be wrecked ages ago by bad publicity...

I trust that was sarcasm? The lunatic right has been having some issues with their social media platforms recently.

Although, a honeypot social media would be a good way to keep track of them.

Re:

[inthegreenwoods]

Russia if you are listening? Putin thanks you for supplying the mailing list he will be using in the mid terms.

Re:Good point!

[fazig]

You might be ignoring some factors here.

Yes, both twitter and facebook have had their controversies that generated bad publicity.
However, through their services, they managed to get and lock in a huge user base way before they were struct with any major controversy.
(At least none that the general public cared about. People like myself have been warning others over data privacy issues for decades now, but for the most part we've been called paranoid and conspiracy theorists).

You could say they were already 'too big to fail' in the eyes of the majority of their user base, when they were hit with bad publicity. Hence their user base, who was convinced that they need those platforms bailed them out again.
Here I'd argue that those platforms kept being successful despite bad publicity, not because of bad publicity.

I'm not sure if this is given for new platforms. We'll have to see how that pans out.

Re: Well, to be fair...

[Anonymous Coward]

Should be 'surprises no one on the outside'. The way Trump and his minions do things is destined to fail. You can grift yourself through a political debate or a real estate deal. You can't do that in (software) engineering.

Re: Well, to be fair...

[AmiMoJo]

I hope you used fake data and a disposable email address.

The site is rather poorly developed and full of exploitable weaknesses. Take this account as an example:

https://gettr.com/user/RealAdo... [gettr.com]

It's got a tick (which isn't just Unicode attached to the name) so it's been "verified" to be the "real" Adolf Hitler somehow. Either the site operators are untrustworthy and will verify accounts as a joke, or the system is easily hacked and you can't be sure any verified account is really who they say they are.

Re:

[Joce640k]

The people at GETTR were probably surprised (otherwise they knowingly and willfully put deficient code online) ...

Nah, it was probably them that did it. They have to get this thing in the news headlines as much as possible.

They got 90000 users?

[Anonymous Coward]

That surprised me..

Re:They got 90000 users?

[Opportunist]

Nah, about 200 users and 89800 sock puppet accounts for shills.

Re:

[windypops]

As well as a ton of journalists hoping to be there when someone famous finally signs up. It's looking like the far-right's time in the sun is on the wane again. They're still noisy online, but you never know how much of that's organised troll farming. Here in the UK, a far-right news channel, hoping to emulate Fox News, got off to a bright start, before its viewing figures plummeted to somewhere south of Welsh language kids' programming.

Re:

[AmiMoJo]

Early on some accounts were showing 250k+ followers. They have clearly been fiddling the stats to make the site look more popular than it is.

Re:

[samwichse]

I got modded down to zero in the last GETTR thread here for cracking joke it should be called "GUTTR" in response to articles exposing that they were scraping old tweets to fill in content and their security was crap.

I wonder where those brave, silent mods are today.

Re:

[Opportunist]

Give 'em time, they just woke up and modded me Troll.

It's still early in Trumpistan.

CFAA

[michaelmalak]

Motherboard also verified the database by attempting to create an account with three email addresses that appear in the database. When doing that, the site displayed the message: "The email is taken," suggesting it's already registered.

Isn't that a violation of the Computer Fraud and Abuse Act of 1986?

Re:

[PhunkySchtuff]

Motherboard also verified the database by attempting to create an account with three email addresses that appear in the database. When doing that, the site displayed the message: "The email is taken," suggesting it's already registered.

Isn't that a violation of the Computer Fraud and Abuse Act of 1986?

Yeah, but the Computer Fraud and Abuse Act of 1986 is overreaching legislation implemented by a corrupt and false government and true Libertarians should resent the government making laws about what people can and can't do.

Re:

[Anonymous Coward]

Interesting stuff, probably not (last one)--and scraping the email addresses may not violate the CFAA either (first one).

1. HiQ Labs v. LinkedIn, 2019. The Ninth Circuit Court of Appeals ruled that scraping a public website without the approval of the website's owner isn't a violation of the CFAA.[46] A Supreme Court appeal is pending.[47]
2. Sandvig v. Barr, 2020. The Federal District Court of D.C. ruled that the CFAA does not criminalize the violation of a website's terms of service.[48]
3. Van Buren v. United Sta

Re:CFAA

[Entrope]

The Supreme Court just handed down a ruling that limited the application of CFAA in cases like that. Under the logic in Van Buren v. United States, using that kind of email registration test is almost certainly authorized, but grabbing the database through an API without permission would be illegal.

Re:

[cascadingstylesheet]

but grabbing the database through an API without permission would be illegal.

Yep. But laws aren't there to protect people that we don't like! Get with the program.

How are they hackers?

[Yurka]

Even the tortured interpretation of CFAA that the government liked to use to make open API calls sound like federal crime has been out the window for more than a month now, with the SCOTUS decision in Buren. Sloppy journalism.

Re:

[Opportunist]

Moreover, why would anyone outside the US give a fuck about the CFAA?

Re:

[AmiMoJo]

The API should not be giving out information like email address and date of birth in response to random requests.

Clear GDPR data breech, but since I was not registered on the site I cannot make a complaint. I looked at it but some of the stuff it recommended made me not want to sign up.

https://i2.wp.com/boingboing.n... [wp.com]

Well now

[93 Escort Wagon]

It's a good thing other online services never make these kinds of mistakes!

Re:

[Known Nutter]

It's a good thing other online services never make these kinds of mistakes!

Yes, but we're not discussing other services. This thread is about that steaming shitpile called gettr or whatever it is. Don't be a smoothed-brain whataboutism-touting moron.

An updated tutorial about whataboutism

[null etc.]

OK ladies and gentlemen, here is an updated tutorial to teach you how to successfully use "whataboutism" to protect your delicate little ears from harmful words that might hurt your brain.

Whenever you hear something you don't like, simply ask, "But whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout, whatabout," and so on, until the other pers

Re:Well now

[ceoyoyo]

It seems odd the American extreme right named their social media platform after a gay hookup app.

Or maybe not?

Re:

[Opportunist]

How many services do you know that were breached within days of launch?

Re:

[Opportunist]

Looks like as soon as politics are involved, security is fucked.

Maybe we shouldn't let politicians near the internet. It's better for the safety and security of all of us.

honeypot

[awwshit]

C'mon obvious honeypot. Pooh figured this out for us. "I'm just a little black rain cloud, hovering under the honey tree."

Oh bother. I'm so rumbly in my tumbly. Could you spare a small smackerel?

Re:

[Ol Olsoc]

C'mon obvious honeypot. Pooh figured this out for us. "I'm just a little black rain cloud, hovering under the honey tree."

Oh bother. I'm so rumbly in my tumbly. Could you spare a small smackerel?

I know - a honeypot would be great - but damn - Trump shut his font of wisdom down, Loyal Lindell is having real problems with his so called Free Speech site, and GETTR has 90K users? A good number that are probably law enforcement. Damn, this group is hardly the overwhelming sea change claimed.

Oh well, they need tracked in case they want to "tour" Washington again.

Re: honeypot

[seliris]

Ohhh the liberals are so mean for not letting people talk about genociding black Americans. Oh theyâ(TM)re so mean! Just so cruel and mean! This isnâ(TM)t anything like trying to stop ISIS from recruiting over the internet. Sorry you whiny ants lost your ability for us to pretend like you have legitimate political differences when you terrorized the Capitol.

Them interwebs are too hard for the Trumpholes

[Required Snark]

The InterWebTubes are secretly controlled by DeepState hacker feminatzis who use evil tricks like thinking and competence to keep true 'Merican White Guys from spewing the contents of their tiny brains out to their equally micro-minded followers.

In other news, GITTR is also being spammed by lefty trolls with Sonic the Hedgehog Furry Porn, [kotaku.com] who claim their posts are protected by Free Speech.

Film at 11.

Re:

[cfalcon]

I can pretty much promise you that the "gettr" technical work wasn't the work of a bunch of similarly-minded conservatives or "liberal-haters" or whatever you're saying. I'm sure the coding was just bought at market prices by whomever was selling, and politics had nothing to do with any of that.

Re:

[AmiMoJo]

GETTR markets itself as "the marketplace of ideas" (and appears on the 2nd page of google results here, so I guess the marketplace has spoken), but like most of the other sites claiming to be a haven for open and free debate it's actually just full of trolling and bile that makes any nuanced discussion impossible.

Um

[cascadingstylesheet]

who pitched it as an alternative to "cancel culture."

So the concept of "cancel culture" is crazy and has to be put in scare quotes ... say the people celebrating the successful hacking attack on a speech platform they don't like, lol

Re:

[Ol Olsoc]

who pitched it as an alternative to "cancel culture."

So the concept of "cancel culture" is crazy and has to be put in scare quotes ... say the people celebrating the successful hacking attack on a speech platform they don't like, lol

Yeah - but Republicans are just as good at cancel culture, so the argument is pretty null.

References provided on request, but big boys use their google fu.

Re:

[eaglesrule]

When was the last time Repubs instigated violence to shut down their oppositions political rally? [chicagotribune.com]

Somehow, boycotting and the tactic of slandering someone to their employer to get them fired doesn't seem to be equivalent.

Re:

[Ol Olsoc]

When was the last time Repubs instigated violence to shut down their oppositions political rally? [chicagotribune.com]

Somehow, boycotting and the tactic of slandering someone to their employer to get them fired doesn't seem to be equivalent.

Republicans tried to take over congress, Erected a gallows to hang Pence - threatened to kill Nancy Pelosi, and Cortez, and killed a cop.

Those are facts - if you don't believe them, you are one of them, and supported the putsch

Re:

[Luckyo]

Wait, people still believe the "killed the cop" lie after all publications who printed that lie were forced to retract it?

Re:

[eaglesrule]

'take over congress', yeah keep up the hyperbole for what would been a 'mostly peaceful protest' under any other circumstances.

Here's your gallows. [shutterstock.com] I guess they were supposed to saw Pence's legs off first to get it to work.

Of course the narrative surrounding officer Sicknick who died of an unrelated stroke was a complete lie, because of course it was.

If being one of them means I'm opposed to bullshit liars on the left, then count me in.

Re:

[Ol Olsoc]

Yeah we do know who ya are. Good to see you support the end of the republic. Will you be in Washington on August 16th? Mike Lindell's put the word out that Trump will emerge triumphantly, and will rule unimpeded.

Re:

[eaglesrule]

Yup I'm the guy who receives projection after proving what a lying scum fuck you are. Thanks for being consistent and predictable.

Re:

[Ol Olsoc]

Yup I'm the guy who receives projection after proving what a lying scum fuck you are. Thanks for being consistent and predictable.

Yes, yes indeed. No projection here, Cletus. Just having fun getting you triggered. Not at all surprising.

But tell me, were you upset when your guy called you low class during your peaceful tourist action? https://www.politicususa.com/2... [politicususa.com]

Re:

[eaglesrule]

The irony is that the people most critical of Trump's honesty and that of the Republicans prove themselves to be even less trustworthy to anyone capable of thinking for themselves.

Enjoy lapping up your hyper partisan brazen propaganda and then regurgitating it here. I'm sure it makes you feel good.

Re:Um

[quantaman]

who pitched it as an alternative to "cancel culture."

So the concept of "cancel culture" is crazy and has to be put in scare quotes ... say the people celebrating the successful hacking attack on a speech platform they don't like, lol

Remember the old "won't someone think of the children!". Their problem isn't with the cancellation in "cancel culture", it's with the fact that they're not the ones dictating who gets cancelled.

As for the successful hacking, a huge part of the narrative among conservatives is the idea that there's all these uber-competent conservatives on the far right who are being unjustly silenced by the mainstream media. The fact that their amateurish Twitter alternatives keep getting hacked, and their sketchy political stars keep getting indicted, is evidence that these far right conservatives are a few coconuts short of a cargo cult. When Ben Shapiro is counted as an intellectual giant in your movement you need to watch that you don't hit your head on a doorstop.

Re:

[AmiMoJo]

"Cancel culture" is just a scary way of saying "freedom of association".

Re:

[RoccamOccam]

"Cancel culture" is just a scary way of saying "freedom of association".

Freedom of association + doxxing + confrontation at restaurants + ...

Slogan

[phalse phace]

Their slogan: "Join and Gettr personal data scraped"

Re:Slogan

[paiute]

I thought it was "Gettr done!"

No, it is 'Gettr: Done.'

What did you expect?

[Opportunist]

In best private business tradition, it's made by the lowest bidder.

Status?

[Growlley]

you mean gullability level - ie how much money can we grift from them.

A question about "From the desk of Donald Trump"

[Hemi Rodner]

People keep claiming that Trump's blog got zero traffic. How do we know that at all? It's not that the stats were publicly published..

PS: You can read the old blog here [archive.org]. I wonder how come it's still working even when the JavaScript is running from archive.org instead of the original site.

Re:

[Locke2005]

It only had 14,000 subscribers at peak.

scraping ?

[John-after-logtime]

Is it really "scraping" if you are using the API ?

To be fair...

[Locke2005]

80,000 of those emails were just for Russian bots!

Gettr? Who names this stuff?

[FellowConspirator]

Honestly. "Gettr" sounds kind of rapey. Next thing you know Trump will try and crowdfund a trip to London and name it "Going to Pound Town".

Re:

[vandamme]

If I want to hear from an asshole I'll just fart.