The article is essentially a copy/paste of a chain of screenshotted messages that'd been going around for a while.
This sentence specifically:
> With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.
Compare to this comment[1] (linked from MeFi) posted this morning:
> Well, because of that access, it gave them access to the behind the login box API that is used to deliver content (...)
Subsequent posts also seem to indicate that post is incredibly inaccurate[2].
So it looks like someone mixed up "scraping a public API" with some breathless tale of hackers doing hacker things, and HN ate it up.
This sentence specifically:
> With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.
Compare to this comment[1] (linked from MeFi) posted this morning:
> Well, because of that access, it gave them access to the behind the login box API that is used to deliver content (...)
Subsequent posts also seem to indicate that post is incredibly inaccurate[2].
So it looks like someone mixed up "scraping a public API" with some breathless tale of hackers doing hacker things, and HN ate it up.
[1]https://m.alpha.facebook.com/groups/majordomo/permalink/1016...
[2]https://www.reddit.com/r/ParlerWatch/comments/kv0jo6/psa_the...