Massive X data leak affects over 200 million products.
FTFY.
this post was submitted on 01 Apr 2025
876 points (99.4% liked)
Technology
68244 readers
3931 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Massive X data leak affects over 200 million bots.
Thoughts and prayers
this leak has proven in the past to be fatally dangerous to anonymous activists fighting tyrant governments all around the world. let's hope it does not fall into the wrong hands
If you use anything but TOR together with spoofed VPNs for "activism" against a government that would jail/kill you, you are being reckless.
If you use X for your activism, you're not an activist you're a fed honeypot.
It's not realistic to expect your average civic minded person to also have such operational securitt. Instead the bad actors who threaten them should found, exposed, dismantled, persecuted with extreme prejudice
It fell into the wrong hands 3 years ago. If those people failed to recognize the danger they put themselves in by continuing to use the platform they are shit out of luck cause Musk will never take responsibility.
Imagine being stupid enough to use x.com for your activism 🙄
I think they mean 10 million users, 30 million abandoned accounts, and 160 million bots.
Seems like a dedicated person might be able to prove that. Go through the available data and see what % of leaked accounts actually point to a real person, or even a unique person. If it's mostly bots you'd see that pretty quick
Check how many accounts pushing republican propaganda only post during St. Petersburg business hours... 🙃
This vulnerability made it possible to collect user data simply by knowing someone’s email address or phone number.
Another example of where it pays off to have separate email addresses/aliases for every website/service you use.
Wait, so you literally have hundreds of accounts? How do you manage them all?
My email provider allows for unlimited aliases. So, while I have 600+ email addresses, emails to them all end up in the same mailbox.
The accounts for all the websites and services (with their specific email address) are in a KeePass database and they all have random passwords, too.
The only small issue is when you have to contact support of some service. Then, I have to configure the specific email address in my client so they can match that to my account with them. But most email clients allow multiple sender addresses without having to fiddle with the rest of the settings.
My email provider allows for unlimited aliases. So, while I have 600+ email addresses, emails to them all end up in the same mailbox.
I do this too. The unique email address I create for each is identifiable to the place I'm using it. This has other benefits. If an organization you created and account with sells or has a data breech you know exactly which company it was when you start receiving spam or phishing email directed to that address. This is also nice because you can "black hole" that email address and all the spam goes with it even future spam not sent yet.
Exactly! I add a random string to each email address, too, so you can’t just guess other addresses. So, it’s usually something similar to lemmy-r4nd0m@mydomain.me. And, whenever a breach happens, I’ll generate a new random part and set that as my email address and invalidate the old one. Until the next breach. (Looking at you, LinkedIn…)
load more comments
(1 replies)
This is what I do as well. I purchased my own custom domain name and run aliases off it using Addy. So as an example, an email for an online account would look like: random9.words@mycustomemail.com
Then I feed these accounts into a password manager so I don’t have to remember them.
All the aliases forward mail directly to my main inbox. Companies never see what my real address is. If I get spam, I know which company either sold my data or leaked my data. I can then take action by simply turning off that email alias and then spinning up a new one.
The best thing about owning your custom domain is that you’re in control and never have to change your email addresses. If I want to move to a new email provider, I can easily do that. The process, simplified:
- Buy a domain name
- Sign up for an email account at Tuta, Mailbox, etc.
- Set up your custom domain at that provider.
- Go to your Domain provider and update your MX records so that it syncs with the email provider.
- if you want to switch email providers, get a new one and then update your MX records to point to the new provider.
- If you updated your records to point to the new provider, you’re done. It’s that simple. You won’t miss an email.
Edit: All providers make it very simple to set up a custom domain. If you can follow instructions and copy and paste text, their systems will run checks to make sure you did it correctly and it’s syncing properly. Very easy for those who aren’t technical.
wouldn't profilers simply track via the domain tld instead of the whole address...shopping1 at uniquedomain, bank2 at uniquedomain , etc
and in the case of aliasing, couldnt a domain provider tell where the aliases rout to and sell that info as a side earner?
Great questions! Seriously, those made me think for sure.
For question one, I suppose a profiler could do that. If my domain name is myemaildomain.com, they probably could track all emails and sell it collectively. But I don’t think corporations do that at this time. That would be akin to profiling all Hotmail, Gmail, Live, etc emails, appreciating those are massive services. I suppose if nefarious actors were to do that to my domain, I could consider switching domains - I have multiple domain names I own, and it’d be trivial to use the other ones. In the years I’ve been using a custom domain for email, I haven’t encountered any nefarious actors and have significantly eliminated any spam.
For question two, the domain provider I use doesn’t do that in their terms of service. However, if they did look at my MX records and decided they wanted to profile me as a user of Addy, they definitely could do that. Though it would hurt their business as many users would migrate their domains to new registrars - I certainly would move my domains to a new registrar!
load more comments
(6 replies)
Password manager plus an emailing alias service. Protonpass integrates with SimpleLogin but there’s also ones like Firefox relay and anomaly (all open source)
load more comments
(2 replies)
Yes, and Bitwarden+SimpleLogin. Bitwarden to keep track of login info including the alias that is used for that site. SimpleLogin is where the aliasing is actually handled, they have a decent UI for enabling/disabling or generating reverse aliases (for outgoing emails) when needed.
It does take a little more effort to manage it, but it’s worth the payoff. I’ve been using this setup for about 9 months now and I finally got my first spam email a week ago. I looked at the address it was sent to, it was an alias I used at a site I ordered something from about 6 months ago. I sent them a message letting them know that either someone at their company is selling customer info to scammers or their database has been leaked, then I shut off the alias. No more spam.
load more comments
(1 replies)
load more comments
(5 replies)
This is why I gtfo when Elon took over. I knew something like this would happen.
Exactly this. We knew that everything would get shaky after he fired all those people and a data leak is the consequence
He sent his tech bros in to fix the database. Now they'll use the same skills to fix the SS databases.
Quick everyone do their banking on it!
That’s like, 400 actual non-bot accounts. Nobody is safe anymore!
Someone should check the email and phone number of Adrian Dittman to see if they match Elon's. Idiots can argue that it isn't Elon despite speech pattern evidence, but it's harder to argue when both of them share the same identifying info.
I thought he fessed up to that
Who is/was Adrian Dittman? Out of the loop of Twitter drama.
Someone Musk made up to simply glaze himself on twitter.
So his version of HitlerPig's John Baron?
load more comments
(2 replies)
So what is that, like 6 or 7 people?
A sock for every puppet.
It also includes the people that deleted their Twitter accounts following the acquisition. I'm one of those people and I'm especially annoyed because I only used that blasted app only to register to some giveaways when I was in middle school. I have since discontinued that email account, but still.
If it had happened now, that figure might be accurate. However, this was originally exploited in 2022, so it's probably pretty bad.
lmaoooo
Or this could be publicity stunt "look how many users we have, many users, beutifull users like never before, nobody knew how many users as there".
I still can't believe Xerox still has that many users
lol
In July 2022, Twitter confirmed that someone had exploited the vulnerability before it could be fixed. “After reviewing a sample of the data offered for sale, we confirmed that a malicious party had taken advantage of the problem before it was addressed,” Twitter stated at the time.
lol
view more: next ›