Hackers Scrape 90,000 GETTR User Emails, Surprising No One
Just days after its launch, hackers have already found a way to take advantage of GETTR's buggy API to get the username, email address, and location of thousands of users.
by Lorenzo Franceschi-Bicchierai
July 6, 2021, 11:06am
Hackers were able to scrape the email addresses and other data of more than 90,000 GETTR users.
On Tuesday, a user of a notorious hacking forum posted a database that they claimed was a scrape of all users of GETTR, the new social media platform launched last week by Trump’s former spokesman Jason Miller, who pitched it as an alternative to "cancel culture." The data seen by Motherboard includes email addresses, usernames, status, and location.
One of the people whose email is in the database confirmed to Motherboard that they are indeed registered to GETTR. Motherboard also verified the database by attempting to create an account with three email addresses that appear in the database. When doing that, the site displayed the message: "The email is taken," suggesting it's already registered.
It's unclear if the database contains the usernames and email addresses of all users on the site.
Alon Gal, the co-founder and CTO of cybersecurity firm Hudson Rock, found the forum post with the database.
Embedded Tweet
Gal argued that this incident should be considered a data breach.
"When threat actors are able to extract sensitive information due to neglectful API implementations, the consequence is equivalent to a data breach and should be handled accordingly by the firm and to be examined by regulators," he told Motherboard in an online chat.
GETTR did not immediately respond to a request for comment sent to an email address displayed on the app's Google Play page.
GETTR's rollout hasn't exactly been smooth. On July 4, the day of the site' official launch, a hacker broke into and defaced some of the site's most prominent users, including its founder Jason Miller, former CIA director Mike Pompeo, former Trump advisor Steve Bannon, and pro-Trump congresswoman Marjorie Taylor Greene, as first reported by Insider.
The hacker told Insider that he targeted the site "just for fun" and that it was "easy" to hack.
"They should not publish the website before making sure everything, or at least almost everything, is secure," he said.
On the day of its launch, security and privacy researchers warned that GETTR's API was poorly programmed and had several bugs. One of them made it possible for someone to figure out whether a given person is on GETTR. Another bug exposed a user's list of muted and blocked accounts, according to former FTC chief technologist Ashkan Soltani.
Last week, cybersecurity reporter Zack Whittaker predicted that someone would soon scrape all the website's content. For now, no one has scraped all the content on the site—at least that we know—but tens of thousands of GETTR users have now had their email addresses exposed.