Just to be clear: I didn't post this on Hacker News myself, and I'm not trying to present myself as high and mighty or as some kind of villain. I'm just someone who documented what I observed, made mistakes along the way, and wanted to share my perspective on the discussion that's happening here.
On data exposure:
Chris said "The short answer is no" when asked if kids' data was exposed. From my perspective, the Neighbourhood API exposed thousands of users' full legal names through an unauthenticated endpoint. There was also the Juice vulnerability that exposed passport numbers, flight receipts, phone numbers, and addresses. A log file with minors' PII was pushed to a public Git repository. The Orpheus Engine code is publicly available on GitHub and shows data being sent to third parties.
Whether this meets the technical GDPR definition of "breach" is a legal question I'm not qualified to answer definitively. But the data was accessible to unauthorised parties, which is what I documented.
On ChatGPT legal advice:
Chris said "nobody relied on ChatGPT for legal advice." I have screenshots of a teenage intern using ChatGPT to answer GDPR compliance questions. Whether that counts as "relying on ChatGPT for legal advice" or just using it as a reference tool is a matter of interpretation. I was concerned about a teenager making legal determinations using AI tools, but I can see how others might view this differently.
On the timeline:
Chris said the vulnerability was "fixed immediately... within a day." From my perspective, it was reported on July 3rd and wasn't fixed until after I made it public. Other community members have also questioned this timeline. I may be wrong about this - I'm just sharing what I observed.
On the ban:
Chris is right that I said horrible things to people. I was in a terrible mental state at the time - Chris was involved in my mental health crisis in other occasions beforehand (he called an ambulance to my house). That doesn't excuse my behavior, and I've taken accountability for it. I included this context because I felt it was relevant, but I understand why others might see it as making excuses.
On DSARs and privacy policy:
I mentioned in the article that I sent DSARs (data subject access requests) that went unanswered for months. Chris didn't address this in his response, so I'm not sure what the current status is. I also noted that there's still no privacy policy after 3+ months of promises. Chris mentioned they're "actively iterating" on one, which may be true - I'm just sharing what I observed up to when I was banned.
I also mentioned that the GDPR email address was removed after I raised concerns. Other community members have confirmed this happened. I'm not sure why it was removed or if it's been replaced with something else.
On forced de-anonymisation:
There was a recent incident where a student (who had already bought flights) was told they needed to reveal their identity to get an explanation for why their Parthenon (an in-person event, see https://athena.hackclub.com) invite was revoked. They complied and revealed their identity publicly, but still didn't receive an explanation.
Christina Asquith (Hack Club's COO) responded by accusing them of lying, showing "bad faith," making "false accusations," and "harassing staff." She said "Character matters at hack club" and refused to work with them anymore after they posted in the #meta channel (which is specifically for community feedback). When the student tried to handle it privately first, they got one response and then were ghosted. After they revealed their identity and asked directly for an explanation, Christina still refused to provide one, saying the reason "will not be released" and that "no amount of info will ever be enough for them to stop arguing."
The student later described feeling like they were "talking to a stone wall that showed no emotion" and that they only got help from people who weren't part of the organizing team. Christina has also publicly stated she's "less likely to reply" to anonymous posts and has a problem with people not putting their names behind questions.
For context: Hack Club has a bot called Prox2 that allows community members to post anonymously in the #meta channel (a channel for feedback and concerns). This was created specifically to allow people to raise concerns without fear of retribution, especially given the power imbalance between adults in leadership positions and teenagers in the community. However, staff can refuse to engage unless people reveal themselves, which undermines the purpose of having an anonymous posting system. I'm not sure if this is official policy or just Christina's personal preference, but it's concerning when combined with claims that "no teenager will ever have anything taken out on them."
On multiple issues:
Chris focused his response on the Neighbourhood vulnerability, but the article documented multiple issues (Juice, the Git log file, Orpheus Engine, etc.). I understand he can't address everything, but I wanted to note that the article covered a pattern of issues, not just one incident.
I also noticed that all of these vulnerabilities that I reported came from the same person (Thomas). In Chris's response, he referred to this person as a "junior engineer," but in Hack Club's Slack and other communications, this person's title was "Capability Changing Events Lead." I'm not sure why the title changed in Chris's post, but I thought it was worth noting. This person is still working at Hack Club, and from what I observed, there didn't seem to be much accountability or consequences for the repeated security issues. I may be wrong about this - I'm just sharing what I observed.
On the "lawyer" claim:
Chris mentioned that Hack Club has consulted with "a very fancy lawyer who specializes in corporate compliance." From my perspective, I haven't seen evidence of this legal work - there's still no published privacy policy, no designated DPO (Data Protection Officer), no named compliance contact, and no data-retention policy. I'm not saying the lawyers don't exist - I'm just noting that the community hasn't seen any tangible output from this legal consultation yet. Maybe it's all happening behind the scenes, but from the outside it's hard to tell.
On the pattern of response:
I've noticed that concerns raised in the community sometimes don't get responses for a while, and then when people speak up publicly, staff engage more actively. Other community members have described similar experiences where they felt ignored until they raised things publicly. I'm not saying this is intentional - it could just be that staff are busy and public posts get more attention. But from the perspective of people raising concerns, it can feel like the only way to get a response is to make things public, which isn't ideal for anyone.
On the article:
I tried to be clear that I'm not trying to be a hero or villain - just document what happened. The article starts and ends with praise for Hack Club's mission. Other community members (VEBee, rlmineing_dead) have corroborated some of my points, but I'm sure I got things wrong too. The Orpheus Engine code is public if people want to verify that part themselves.
I wrote the article because I thought these issues were important to document, but I'm sure there are perspectives and context I'm missing. I'm not asking anyone to take my word for it - the code is public, the vulnerabilities are documented, and people can verify things themselves.
I want to be clear: Hack Club has done a lot of good. It's helped thousands of teenagers learn to code, build projects, and find community. Many of my friends came from Hack Club, and I'm genuinely grateful for the opportunities it gave me. That's why I care about these issues - because I want Hack Club to be better, not because I want to tear it down. The problems I've documented are real, but so is the positive impact Hack Club has had on many people's lives.