Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Troy Hunt Profile picture
@troyhunt
Oct 8, 2024 21 tweets 6 min read Read on X
Scrolly
This was a very uncomfortable breach to process for reasons that should be obvious from @josephfcox's article. Let me add some more "colour" based on what I found:
Ostensibly, the service enables you to create an AI "companion" (which, based on the data, is almost always a "girlfriend"), by describing how you'd like them to appear and behave: Image
Buying a membership upgrades capabilities: Image
Where it all starts to go wrong is in the prompts people used that were then exposed in the breach. Content warning from here on in folks (text only): Image
Image
That's pretty much just erotica fantasy, not too unusual and perfectly legal. So too are many of the descriptions of the desired girlfriend:

Evelyn looks: race(caucasian, norwegian roots), eyes(blue), skin(sun-kissed, flawless, smooth)
But per the parent article, the *real* problem is the huge number of prompts clearly designed to create CSAM images. There is no ambiguity here: many of these prompts cannot be passed off as anything else and I won't repeat them here verbatim, but here are some observations:
There are over 30k occurrences of "13 year old", many alongside prompts describing sex acts
Another 26k references to "prepubescent", also accompanied by descriptions of explicit content
168k references to "incest". And so on and so forth. If someone can imagine it, it's in there.
As if entering prompts like this wasn't bad / stupid enough, many sit alongside email addresses that are clearly tied to IRL identities. I easily found people on LinkedIn who had created requests for CSAM images and right now, those people should be shitting themselves.
This is one of those rare breaches that has concerned me to the extent that I felt it necessary to flag with friends in law enforcement. To quote the person that sent me the breach: "If you grep through it there's an insane amount of pedophiles".
To finish, there are many perfectly legal (if not a little creepy) prompts in there and I don't want to imply that the service was setup with the intent of creating images of child abuse. But you cannot escape the *massive* amount of data that shows it is used in that fashion.
Let me add a bit more colour to this based on some discussions I've seen: Firstly, AFAIK, if an email address appears next to prompts, the owner has successfully entered that address, verified it then entered the prompt. It *is not* someone else using their address. Image
Image
Image
Image
This means there's a very high degree of confidence that the owner of the address created the prompt themselves. Either that, or someone else is in control of their address, but the Occam's razor on that one is pretty clear...
Next, there's the assertion that people use disposable email addresses for things like this not linked to their real identities. Sometimes, yes. Most times, no. We sent 8k emails today to individuals and domain owners, and these are *real* addresses the owners are monitoring.
We all know this (that people use real personal, corporate and gov addresses for stuff like this), and Ashley Madison was a perfect example of that. This is why so many people are now flipping out, because the penny has just dropped that then can identified.
Let me give you an example of both how real email addresses are used and how there is absolutely no question as to the CSAM intent of the prompts. I'll redact both the PII and specific words but the intent will be clear, as is the attribution. Tuen out now if need be:
That's a firstname.lastname Gmail address. Drop it into Outlook and it automatically matches the owner. It has his name, his job title, the company he works for and his professional photo, all matched to that AI prompt. Image
Image
I've seen commentary to suggest that somehow, in some bizarre parallel universe, this doesn't matter. It's just private thoughts. It's not real. What do you reckon the guy in the parent tweet would say to that if someone grabbed his unredacted data and published it?
As if all this isn't already bad enough, apparently messages about the breach posted to their Discord keep getting removed: Image
Image
Image
Nobody should ever even need to ask, but just in case you do:

“child sexual abuse material (CSAM) created with content manipulation technologies, to include generative artificial intelligence (AI), is illegal” ic3.gov/Media/Y2024/PS…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Troy Hunt

Troy Hunt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @troyhunt

Troy Hunt Profile picture
Jan 22
I’m seeing a lot of commentary to this effect about the under 16 social media ban in the UK. Given we’ve just gone through this in Australia, let’s look at how that’s done in a way the DOESN’T require everyone to provide ID:
Firstly, our eSafety commissioner is very clear:

“eSafety does not expect a platform to make every account holder go through an age check process if it has other accurate data indicating the user is 16 or older.”

esafety.gov.au/about-us/indus…
I don’t know of a single adult who has had to “prove their age by uploading an ID (passport/drivers licence) and biometric data”. I also don’t know of a single one who has had to prove their age at all.
Read 8 tweets
Troy Hunt Profile picture
Nov 26, 2025
Watching the dismay on my 13 year old daughter’s face as the final 2 weeks of social media access tick down to Dec 10. It’ll be 2028 before she can use Snapchat (and others again). What’s everyone think about this? esafety.gov.au/about-us/indus…Image
This got a lot of traction, it’s like the Twitter of old! So, let me clarify a few things as a parent, cybersecurity guy and industry commentator:
Firstly, recognise that parental decisions around how you raise children is very personal. Diet. Exercise. Religion. Study. Family. And, how they use social media, messaging and devices in general. There are wide-ranging views on all these, obviously.
Read 16 tweets
Troy Hunt Profile picture
Jul 17, 2025
Rack upgrade day! Some new @Ubiquiti goodness to consolidate things, pics and details coming… Image
Image
Image
Alright, let’s jump into this and full disclosure: @Ubiquiti has sent me all the bits you’ll see to play with. That’s after I spent a bunch of my hard-earned cash buying their gear and writing about it 9 years ago now, I’ve just been a fan ever since: troyhunt.com/ubiquiti-all-t…
@Ubiquiti What we’ve got here is new 48 port Pro XG switch with 10 GbE, PoE+++ and etherlighting (more on that soon). That’ll replace both the older 24 port USW Pro Max (which was to play with etherlighting) and 48 port USW Pro (because I needed more ports), so I’ll reclaim an RU. Image
Image
Read 12 tweets
Troy Hunt Profile picture
Mar 13, 2025
Working with @Cloudflare pages is so cool, check out this workflow:
We have an open source repo for @haveibeenpwned's ux-rebuild which is here: github.com/HaveIBeenPwned/
Our front end oompa loompa just submitted a PR in the "privacy-page" branch: github.com/HaveIBeenPwned…
Read 7 tweets
Troy Hunt Profile picture
Jan 2, 2025
The Pornhub story regarding age verification shows just how hard privacy-preserving identifying verification is. Even when everyone agrees on the sentiment (nobody is saying kids should have access to porn), there’s no consensus on the execution. 404media.co/pornhub-is-now…Image
Image
It took me a few seconds to VPN into Texas and capture these screens. It takes someone in Texas a few seconds to VPN into California and *not* see these screens! It costs a few bucks a month for a good VPN with loads of exit nodes around the world, placing you where you want.
I suspect that factored into Pornhub’s decision - the knowledge that they can satisfy a state law whilst not posing any real barrier to paying customers. If someone is willing to pay for porn, surely they’re willing to pay a lot less for a VPN to access it?
Read 7 tweets
Troy Hunt Profile picture
Oct 25, 2024
Was confused whilst doing my live stream just now why there was a sudden spike in DB usage on @haveibeenpwned. Turns out it was related to *dropping* this constraint:
ALTER TABLE [dbo].[Domain] ADD CONSTRAINT [CHK_DomainName_Pattern] CHECK (([dbo].[IsDomainValid]([DomainName])=(1)))
We'd decided a constraint that calls a function on every insert of a new domain was unnecessary; all it did was validate that the string adhered to the correct pattern, but because we controlled the upstream code, we could do that before it even hit the DB.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(