Claim:
The screenshot pinpointed a list of X users, all prominent conservative accounts, who could post racist comments without facing any repercussions.
evaluation:
On July 25, 2024, a user named “Anti-Fascist Turtle” posted an image purporting to show a list of accounts on the social platform, including a list of racist slurs that the accounts were allegedly allowed to use.
These accounts included prominent conservative accounts such as EndWokeness and LibsOfTikTok, as well as the official accounts of former US President Donald Trump, X owner Elon Musk and the Russian Foreign Ministry. The “Anti-Fascist Turtle” account was suspended by the platform shortly after posting.
But it was too late: the post had already gone viral, and the poster’s suspension only accelerated the image’s spread. The poster labeled the screenshots and their supposed findings as a “Twitter API leak,” and many users shared the post using that term.
A Snopes reader asked us to investigate the Twitter API leak and whether the findings were genuine. We discovered that the images were fake and the findings were not genuine.
To best understand the details of the situation, Snopes spoke via direct message with Maia Arson Klime, a cybersecurity expert and hacktivist best known for publishing the 2019 TSA no-fly list.
Crimeau urged particular caution, saying the content of the list was “perfect for inciting outrage” given the account’s large public profile and the fact that the list of words the account is said to be able to use is made up primarily of racist slurs.
In response to the outrage that erupted on the platform after the post went viral, X added the rarely used “manipulated media” tag to the bottom of the post, but Crimew said adding the tag may have backfired because people were generally unfamiliar with the tag.
“It just made people feel even more that this is a conspiracy,” she said.
Given the prejudice that users of the platform have towards the company and Musk, Crimew’s argument makes sense: the “manipulated media” tag and the original poster’s suspension may have led people to believe that the company is trying to hide the “truth.”
So what was actually going on?
Octa
According to crimew, the screenshots claim to show a “configuration file” for X hosted on Okta servers. The screenshots include a list of accounts that are supposedly excluded from automatic moderation, as well as: [said accounts] Not automatically moderated [using]”
Okta is what’s known as an “identity provider,” meaning it develops software that allows other companies to add authentication to their sites.
When signing into a modern website, users are asked to enter a username and password or click a button that allows them to sign in with another platform (most commonly Google or Facebook). Okta makes software that rivals the “Sign in with Google” button, but it’s more powerful and integrates in the background.
According to Crimew, a former employee of Company X said that while it was true that the company used Okta, it was only used internally, and that Okta’s software did not involve any user moderation.
In other words, finding information related to user moderation on Okta servers that supposedly managed login and authentication is as strange as finding a live shark in a refrigerator.
Snopes reached out to Okta for comment on the matter, and a company spokesperson said in an email that the screenshots are fake.
X Moderation
Another big issue with the alleged leak is that X already had moderation features that could, in theory, do the same thing.
Internet moderation is often automated because there is too much content posted for humans to manually review everything. However, automated moderation brings its own problems, such as mass whistleblowers. To avoid such problems, X can add a flag to individual account profiles, requiring that moderation actions on that profile be manually approved.
Company X has not publicly stated the purpose of the tool, but Crimew cites three reasons why social media sites use similar tools: to prevent mass reporting, to ensure that official government accounts are not subject to automated moderation (which could have unintended geopolitical effects), and to more easily comply with requests from law enforcement to protect social media activity.
The system has been publicly known since the so-called “Twitter Files,” which Musk opened to a select group of journalists and writers when he bought the company in 2022. Screenshots of the moderation tool were published in a TechCrunch article in December 2022, where it was applied to the LibsOfTikTok account, which was also included in the list of supposed API leaks.
But this simply confirms the fact that the X platform already had such tools. Crimeau said the supposed API leak would have been a second, more primitive implementation of the same functionality. In other words, if X’s leaders really wanted to allow the small number of accounts present in the API leak to break the website’s rules, they would have already had the tools to do so.
Snopes reached out to X for comment on the screenshots, beyond the “manipulated media” tag the site added to posts sharing the purported leak. A spokesperson confirmed in an email that the screenshots are fake. The spokesperson also provided a link to an X post by one of the company’s security engineers who publicly stated that the screenshots were fake.
At this point in our investigation, we were confident that the screenshots and their findings were fake. The final step is to determine where this misinformation came from.
Vx-Underground
The story began with vx-underground, an online malware website and research group that claims to have the world’s largest collection of malware code samples. The administrator and founder of vx-underground, smelly_vx, collects and discusses tips about cyber security breaches and hacks under his X account on the site.
According to a thread posted by X’s vx-underground account, smelly_vx received an anonymous DM on X with a link to the screenshot that would eventually go viral. After a quick look, he chose to share the screenshot and information to vx-underground’s Discord server. However, when he posted the image on Discord and wrote, “Prepare for a Twitter storm. I found someone exposing my Okta settings for Twitter. Twitter is violating my privacy,”[eliges] He said he would “leave information on right-wing platforms” without verifying the authenticity of the information.
The group immediately began investigating the supposed leak but were unable to recreate anything, so vx-underground decided to pass the screenshots on to someone else to investigate. However, an unidentified user shared an edited version of the post with X on Discord, leaving vx-underground members frantically trying to figure out what happened while the post was going viral.
The vx-underground team declined to publish a correction because the issue would be “forgotten in the next two days,” but repeatedly pointed commenters to the post explaining that they were unable to independently verify the information.
According to an X thread posted by user Rhinozzcode in collaboration with crimew, neither smelly_vx’s announcement on the vx-underground Discord server nor X’s post spreading the post mentioned that the supposed information had yet to be verified.