We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to have fixed all issues. However multiple vulnerabilities we reported still exist at the time of writing.
The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login.
Attackers can also overwrite data such as posts owned by other users.
The Hive team has become aware of security issues that affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days while we fix this for a better and safer experience
To their credit, it sounds like pulling the plug entirely was the right move, and most companies would not have done that. Even if they only did it not when they found out, but only after someone created a PR disaster to force their hand. One takes what one can get.
However, that does not change the fact that (as I said earlier this week) they are yet another data silo whose lock-in design is antithetical to the principles of openness and interoperability that are the good things that the Internet and the World Wide Web brought to the world.