The attack is simple: researchers at Rhino Security created a network of dummy accounts and left the targets email as the only real name in their contact list. From afar, it looked like they had a big group of friends, so Secret let them use the app normally, but really it was one real person surrounded by dummies.