Hive Social, a social media platform that has seen meteoric growth since Elon Musk took over Twitter, abruptly shut down its service on Wednesday after a security advisory warned the site was riddled with vulnerabilities that exposed all data stored in user accounts.
“The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages,” the advisory, published on Wednesday by Berlin-based security collective Zerforschung, claimed. “This also includes private email addresses and phone numbers entered during login.”
The post went on to say that after the researchers privately reported the vulnerabilities last Saturday, many of the flaws they reported remained unpatched. They headlined their post “Warning: do not use Hive Social.”
Hive Social responded by pulling down its entire service.
“The Hive team has become aware of security issues that affect the stability of our application and the safety of our users,” company officials wrote. “Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience.”
The Zerforschung post said the vulnerabilities were so serious that they were withholding technical details to prevent the active exploitation of them by malicious hackers.
The series of events raised questions about why Hive Social waited some 72 hours to shut down its site after receiving notification users’ most private data was free for the taking. Zerforschung said that after multiple communications, Hive Social claimed to have fixed all issues when that was clearly not the case. The social media site said it never claimed the vulnerabilities were fixed.
Hive Social’s user base reportedly doubled in the last few weeks, going from about 1 million to 2 million as of last week, according to Business Insider. Despite the massive growth, the social media site continued to be staffed by just two people, neither of whom had much of a background in security.
Representatives of both Hive Social and Zerforschung didn’t respond to questions sent by email.
While there are no reports that the vulnerabilities were actively exploited, there’s no way at the moment to rule that out. Anyone with a Hive Social account should be prepared for the possibility that the data they provided during sign-up, as well as private messages, whether deleted or not, have been obtained.
The lesson from this event further supports advice Ars gave on Tuesday concerning Mastodon, another social media site that has also seen skyrocketing user numbers in the aftermath of the Twitter takeover by Musk. Put nothing on the site that you wouldn’t mind being public. Confidential information should never be put in direct messages or any other place. Here’s hoping Hive Social users already knew that.