Security Stories
Real-world security incidents and lessons
38 articlesHow a Lovable App Exposed 18,000 Users, Including Students
A Lovable-hosted exam app had 16 vulnerabilities including backwards authentication logic that blocked logged-in users and let anonymous visitors access everything. 18,697 user records leaked, including K-12 students.
How Attackers Used AI to Breach 50,000 FortiGate Firewalls
In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it matters for every app builder.
How Moltbook Exposed 1.5 Million API Keys in Client-Side Code
Moltbook launched with their Supabase database wide open. No Row Level Security. 1.5 million API keys exposed in client-side JavaScript. A basic scan would have caught this before launch.
Why I Almost Gave Up on Security
The emotional journey of dealing with security as a solo founder. The overwhelm, the near-surrender, and how I found a sustainable approach.
When My Stripe API Key Got Leaked
A founder's story of discovering their Stripe secret key was exposed in a public GitHub repo. The panic, the response, and the lessons learned.
The $12,000 AWS Bill That Changed Everything
How an exposed AWS credential led to a cryptocurrency mining operation on my account. The shocking bill, the investigation, and how I got most of it refunded.
When a Competitor Found Our Security Flaw
A competitor publicly disclosed a security vulnerability in our product. The embarrassment, the scramble to fix it, and what we learned about responsible disclosure.
The Customer Email That Started a Crisis
A customer reported seeing another user's data. What followed was a 72-hour crisis of investigation, damage control, and difficult conversations.
The Day My Database Was Exposed
A startup founder discovers their Supabase database was publicly accessible. No RLS, no auth checks. User data was exposed for three weeks before anyone noticed.
My First Security Incident
A founder's honest account of their first security incident. The panic, the mistakes made during response, and the lessons that shaped how they think about security.
My GitHub Secrets Went Public
The story of accidentally pushing secrets to a public GitHub repository. How it happened, how fast they were found, and the scramble to fix everything.
The Hacker Who Reached Out First
A white hat hacker found a vulnerability in our product and reported it responsibly before anyone could exploit it. This is the story of that email and what followed.
When Insurance Denied Our Breach Claim
We had cyber insurance. We had a breach. They denied the claim. The painful lesson about what cyber insurance actually covers and the fine print that matters.
When Someone Stole My OpenAI Key
A developer woke up to $2,000 in OpenAI charges after their API key was found in a public repository. The story of discovery, damage control, and prevention.
How We Recovered from a Breach in 48 Hours
A step-by-step timeline of incident response that worked. From discovery to recovery in 48 hours, including the critical decisions and lessons learned.
The Security Audit That Was a Wake-Up Call
What happens when professionals review your code for security issues. The findings were humbling, but the experience transformed how we build software.
How Missing RLS Nearly Killed My Startup
A startup founder discovers their Supabase database had no Row Level Security. Any user could see any other user's data. The story of discovery, panic, and recovery.
A User Found Our Security Bug
How a customer support ticket about 'weird behavior' led to discovering and fixing a critical authorization vulnerability in our application.
The Weekend Hack Attempt I Almost Missed
A founder's story of discovering an ongoing attack on their app while checking metrics on a lazy Sunday. How monitoring alerts and quick action prevented disaster.
What I Learned Scanning 100 Vibe Coded Projects
After scanning 100 AI-generated projects, clear patterns emerged. Here are the most common vulnerabilities in vibe coded apps and how to avoid them.
When Someone Found Our Unprotected Admin Panel
A stranger found our admin panel at /admin with no authentication. They could see all user data, modify settings, and delete accounts. How we fixed it.
How API Abuse Nearly Bankrupted Our Startup
Someone found our unprotected AI API endpoint and racked up $47,000 in OpenAI charges in a single weekend. The story of how we discovered and stopped the abuse.
A Bot Attack Overnight Crashed Our Servers
How automated bots overwhelmed our unprepared servers in the middle of the night. The chaos of waking up to a crashed system and how we built resilience.
How the Dev Community Helped Me Fix a Security Mess
When I discovered multiple vulnerabilities in my app, the developer community helped me understand and fix them. A story about learning security together.
When Fraudsters Used Our Site for Credit Card Testing
How criminals used our checkout page to test stolen credit cards, resulting in chargebacks, fraud alerts, and a suspended Stripe account.
Rebuilding Customer Trust After a Security Incident
After our security incident, we lost customers and trust. Here's how we communicated, what we changed, and how we eventually rebuilt confidence.
A Dependency Vulnerability Put Our Users at Risk
How an outdated npm package with a known vulnerability exposed our application to attacks. The scramble to patch and lessons about dependency management.
Someone Almost Stole Our Domain Through Social Engineering
How a social engineering attack nearly transferred our domain to an attacker. The warning signs we missed and how we recovered control just in time.
Google Indexed Our .env File - A Startup Security Nightmare
How our .env file got indexed by Google, exposing database credentials and API keys to anyone who searched. The scary discovery and our emergency response.
How a Firewall Rule Saved Us from a Massive Attack
A simple Cloudflare firewall rule we set up months ago blocked 50,000 malicious requests in one night. Here's what the attack looked like and why basic protections matter.
From Zero Security to Sleep-at-Night Confidence
A practical guide based on our journey from security-ignorant to security-confident. The specific steps that got us there without becoming security experts.
When an Investor Asked About Security - How to Be Ready
An investor asked 'What's your security posture?' and we weren't ready. Here's how we turned that awkward moment into a system for being prepared.
What I Learned from My Biggest Security Failure
A reflection on the security incident that taught me the most. The mistakes I made, the lessons I learned, and how failure became my best teacher.
The Password Breach That Affected Our Whole Team
A third-party service we used got breached, exposing credentials our team had reused. How credential stuffing almost compromised our systems.
Our First Penetration Test - What to Expect
We hired our first penetration tester and didn't know what to expect. Here's what the process looked like, what they found, and whether it was worth the investment.
The True Cost of Security Debt - A Cautionary Tale
We accumulated security debt for two years. When it came due, it cost us 10x what prevention would have. Here's the math nobody wants to do.
Our Startup's Security Journey - From Zero to Confident
How we went from 'security can wait' to building a culture of security at our startup. The steps, mistakes, and wins along the way.
What Hackers Look for in Vibe Coded Apps
A look at how attackers find and exploit vulnerabilities in AI-generated applications. Understanding the attacker mindset to build better defenses.