zlacker

[return to "Hack Club: A story in three acts (a.k.a., the shit sandwich)"]
1. jstumm+S9[view] [source] 2025-11-13 12:48:53
>>alexkr+(OP)
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.

> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.

> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.

What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? It feel like the author is not being quite as candid in their account of the events as one would hope.

◧◩
2. contra+nc[view] [source] 2025-11-13 13:04:11
>>jstumm+S9
It sounds like the author started off by telling them they're doing illegal stuff. It's unclear if it's actually illegal or not.. but they naturally got the other side defensive and tried to avoid the author

If instead they framed it in terms of "hey you guys are sharing stuff you probably didn't mean to" then the reaction would have likely been different

[go to top]