Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Troy Hunt Profile picture
@troyhunt
Oct 8 21 tweets 6 min read Read on X
This was a very uncomfortable breach to process for reasons that should be obvious from @josephfcox's article. Let me add some more "colour" based on what I found:
Ostensibly, the service enables you to create an AI "companion" (which, based on the data, is almost always a "girlfriend"), by describing how you'd like them to appear and behave: Image
Buying a membership upgrades capabilities: Image
Where it all starts to go wrong is in the prompts people used that were then exposed in the breach. Content warning from here on in folks (text only): Image
Image
That's pretty much just erotica fantasy, not too unusual and perfectly legal. So too are many of the descriptions of the desired girlfriend:

Evelyn looks: race(caucasian, norwegian roots), eyes(blue), skin(sun-kissed, flawless, smooth)
But per the parent article, the *real* problem is the huge number of prompts clearly designed to create CSAM images. There is no ambiguity here: many of these prompts cannot be passed off as anything else and I won't repeat them here verbatim, but here are some observations:
There are over 30k occurrences of "13 year old", many alongside prompts describing sex acts
Another 26k references to "prepubescent", also accompanied by descriptions of explicit content
168k references to "incest". And so on and so forth. If someone can imagine it, it's in there.
As if entering prompts like this wasn't bad / stupid enough, many sit alongside email addresses that are clearly tied to IRL identities. I easily found people on LinkedIn who had created requests for CSAM images and right now, those people should be shitting themselves.
This is one of those rare breaches that has concerned me to the extent that I felt it necessary to flag with friends in law enforcement. To quote the person that sent me the breach: "If you grep through it there's an insane amount of pedophiles".
To finish, there are many perfectly legal (if not a little creepy) prompts in there and I don't want to imply that the service was setup with the intent of creating images of child abuse. But you cannot escape the *massive* amount of data that shows it is used in that fashion.
Let me add a bit more colour to this based on some discussions I've seen: Firstly, AFAIK, if an email address appears next to prompts, the owner has successfully entered that address, verified it then entered the prompt. It *is not* someone else using their address. Image
Image
Image
Image
This means there's a very high degree of confidence that the owner of the address created the prompt themselves. Either that, or someone else is in control of their address, but the Occam's razor on that one is pretty clear...
Next, there's the assertion that people use disposable email addresses for things like this not linked to their real identities. Sometimes, yes. Most times, no. We sent 8k emails today to individuals and domain owners, and these are *real* addresses the owners are monitoring.
We all know this (that people use real personal, corporate and gov addresses for stuff like this), and Ashley Madison was a perfect example of that. This is why so many people are now flipping out, because the penny has just dropped that then can identified.
Let me give you an example of both how real email addresses are used and how there is absolutely no question as to the CSAM intent of the prompts. I'll redact both the PII and specific words but the intent will be clear, as is the attribution. Tuen out now if need be:
That's a firstname.lastname Gmail address. Drop it into Outlook and it automatically matches the owner. It has his name, his job title, the company he works for and his professional photo, all matched to that AI prompt. Image
Image
I've seen commentary to suggest that somehow, in some bizarre parallel universe, this doesn't matter. It's just private thoughts. It's not real. What do you reckon the guy in the parent tweet would say to that if someone grabbed his unredacted data and published it?
As if all this isn't already bad enough, apparently messages about the breach posted to their Discord keep getting removed: Image
Image
Image
Nobody should ever even need to ask, but just in case you do:

“child sexual abuse material (CSAM) created with content manipulation technologies, to include generative artificial intelligence (AI), is illegal” ic3.gov/Media/Y2024/PS…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Troy Hunt

Troy Hunt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @troyhunt

Troy Hunt Profile picture
Oct 25
Was confused whilst doing my live stream just now why there was a sudden spike in DB usage on @haveibeenpwned. Turns out it was related to *dropping* this constraint:
ALTER TABLE [dbo].[Domain] ADD CONSTRAINT [CHK_DomainName_Pattern] CHECK (([dbo].[IsDomainValid]([DomainName])=(1)))
We'd decided a constraint that calls a function on every insert of a new domain was unnecessary; all it did was validate that the string adhered to the correct pattern, but because we controlled the upstream code, we could do that before it even hit the DB.
Read 5 tweets
Troy Hunt Profile picture
Oct 9
Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon.
Looks like someone compromised a polyfill JS file on a subdomain to inject the alert, but that doesn't explain the root site being down
Looks like a combination of things with the site being DDoS'd as well:
Read 9 tweets
Troy Hunt Profile picture
Sep 25
Another cool little @Cloudflare thing that snuck out recently is this very simple security.txt creator: Image
It's a simple form-based configuration that takes the basics of a security.txt file in the following interface: Image
Because @cloudflare sits in the middle of the traffic, they can then intercept requests to the appropriate path and serve up the file. Here's one I just created: troyhuntsucks.com/.well-known/se…
Read 4 tweets
Troy Hunt Profile picture
Jul 29
Our Aussie Cyber Security Act is going to be interesting to watch unfold not just in it's initial form, but as it evolves over the years. IMHO, great steps forward, but let's look at those arguments *against* it abc.net.au/news/2024-07-3…
"Business groups say the new disclosure rules, and the proposed $15,000 fines for failures to disclose a payment, could sink some small operators." - you only get fined if you don't disclose, so... don't hide the breach!
"They are also pushing back against the decision to include businesses with an annual turnover of more than $3 million, arguing the threshold is too low" - appx 90% of Aussies businesses have turnover <$3M/y, so the scope is still very small
Read 7 tweets
Troy Hunt Profile picture
Jul 19
Something super weird happening right now: just been called by several totally different media outlets in the last few minutes, all with Windows machines suddenly BSoD’ing (Blue Screen of Death). Anyone else seen this? Seems to be entering recovery mode: Image
The issue is worldwide: dailymail.co.uk/news/article-1…
Hearing multiple reports of a Crowdstrike agent issue
Read 22 tweets
Troy Hunt Profile picture
Jul 6
Let's start with what should be obvious: any infosec story that includes a headline about "largest", "greatest", "worst", or similar superlatives should be regarded with suspicion right from the outset. That said, let's delve into this one: cybernews.com/security/rocky…
Firstly to the title - "RockYou". This harks back a decade and a half to a 2009 data breach that exposed 34M records. It was particularly noteworthy as the passwords were in plain text: en.wikipedia.org/wiki/RockYou
Following this breach, the "RockYou password list" became almost the defacto standard list for password crackers. It's one of many breaches that seeded the data in @haveibeenpwned's Pwned Passwords list.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(