Hi everyone, I should have jumped in sooner. I’m sorry - I’ve been afraid to post because I’ve been worried that any response whatsoever would be crucified. That’s left a lot of you understandably asking questions and that’s on me.
This has been a very difficult set of accusations to deal with this week, and a lot of bad memories have been brought up. Please keep in mind that there is often a lot of context not mentioned and that Hack Club can’t talk about everything as transparently as we’d like due to privacy for the people involved.
First - I want to give an update on the privacy policy. We hired a data privacy lawyer in August through a referral from our main lawyer. We’ve been working with them and expect to be able to release the privacy policy in ~2 weeks. It won’t be anything earth shattering - basically that Hack Club doesn’t sell your data.
From day 1 we have cared about data privacy at Hack Club. When I was a teenager, I’d PGP sign all my emails and refused to use Gmail / etc because of privacy. When Slack made it possible for organizations to read DMs of members in ~2017, we made a public commitment to never do that for Hack Clubbers unless legally compelled (and have never done so today). That’s part of why 100% of all of the code at Hack Club is open source, which none of our peer organizations do (to my knowledge).
Part of why we haven’t been sooner to respond or release a policy is because a privacy policy != security. Practices = security. We haven’t wanted to release something imperfect, so we didn’t release anything at all. We should have just hired a privacy lawyer earlier and published what they recommended - that’s on me.
I believe that Hack Club currently meets or exceeds the security and data practices of other organizations in our space, and where we have found issues (or people have helped us find issues), we have resolved them as quickly as possible. For example, most reports through https://security.hackclub.com are resolved in less than 24 hours. Earlier this year I found a bug (https://gist.github.com/zachlatta/f86317493654b550c689dc6509...) in Google Workspace that enabled phishing from g.co, which is owned by Google - it took them 11 months to fix it (I filed in Jan 2025, got a bounty payout 2 months after reporting, and just got confirmation the bug was fixed 11 days ago).
Here are some of the various steps we’ve taken to enhance security over the past year:
- Essential staff carry YubiKeys, including myself
- https://security.hackclub.com bug bounty program was introduced
- We moved to role-based access control in Airtable and Fillout
- We moved Hackatime and other sensitive apps out of the main self-hosted servers into their own separated server group
- https://identity.hackclub.com was introduced to securely handle ID verifications with audit logs and all documents stored encrypted at rest so individual programs don’t need to handle as much PII. Servers are completely separated from the rest of HC infra.
- We started working pro-bono with a cybersecurity firm that works with Tailscale and other security-critical orgs
- We separated PII collection across YSWSs so programs generally only have access to the individual data people submit to their program (and not the full Hack Club users table)
- And a lot more small things
There are a small number of known cases of accidentally unprotected API endpoints in YSWSs, which were all quickly fixed after being reported through https://security.hackclub.com. We don’t have any evidence any data was leaked. The people who reported all received bounty payouts. Since then, the staff members responsible have been trained and feel very badly about their mistakes.
I hope we can all have a breather and have a better day tomorrow. Thank you all. More soon.