Hive Social, a social media network that has gained significant traction as a potential Twitter “replacement” after the latter was taken over by erratic tech billionaire Elon Musk, has been forced to shut down its servers after ethical hackers identified major vulnerabilities in the service that could potentially have put user data at significant risk.
Zerforschung, a decentralised collective of German hackers, started poking under Hive’s bonnet after the site began to attract users in earnest in mid-November. They said they found multiple critical vulnerabilities that they reported to Hive in confidence.
Hive acknowledged the report and claimed to have fixed the issues, but the collective said this was not in fact the case.
“The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages,” said Zerforschung.
“This also includes private email addresses and phone numbers entered during login. Attackers can also overwrite data, such as posts owned by other users.
“We strongly advise against using Hive in any form in the current state.”
The collective said that it would not be publishing an in-depth technical analysis of what it had found at this stage, so as not to endanger the privacy of Hive’s users.
Posting on Twitter, a Hive spokesperson said: “The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience.
“We plan to work tirelessly until we can get back online and we hope to welcome you back to a faster and more stable Hive very soon.”
Hive was founded in 2019 by California-based student and former Instagram influencer Raluca Pop, who also uses the alias Kassandra Pop. Speaking to Newsweek last month, Pop said she decided to have a go at creating a social media space for herself after becoming frustrated with changes to Instagram’s algorithm. She teamed up with a freelance developer and taught herself to code, before releasing the first version of the app in October of that year.
Since then, the service has been expanding slowly but surely, and for a time was the most downloaded application on Apple’s iOS App Store after being featured in Teen Vogue magazine. It received its first injection of venture capital funding in October 2021.
The service now boasts more than 1.5 million users, a number that has been ballooning since Musk’s takeover of Twitter and his reinstatement of thousands of suspended accounts linked to the far right of the political spectrum.
In the wake of Hive’s shutdown, ESET global cyber security adviser Jake Moore said: “With many people currently on the lookout to potentially replace Twitter, they may be quick to download lots of alternatives, but this could be at the detriment to their personal information. The particular data exposed on Hive Social that is obtainable is worryingly intrusive and damaging to users.
“Many people will have downloaded Hive Social on the recommendation from a friend or peer group, but this is often where the due diligence stops and security and privacy remain an afterthought. The sensitive information that could be viewed, such as private posts, phone numbers and messages, could have caused further social engineering attacks by obtaining more details, such as financial credentials.
“People must be reminded to carry out research on new apps before downloading them and to limit the amount of data they lend to new applications, especially social media platforms which demand relatively personal data to function.”
Speaking to Computer Weekly last month, Moore said it was not necessarily appropriate, or the right time, for organisations or individuals to suspend their use of Twitter.
“Things change rapidly all the time, and I don’t want to see companies shoot themselves in the foot if Musk has other ideas to sell the platform on, or has something else in mind,” he said. “Companies and users alike should err on the side of caution where they can.”