Companies should quickly realize that ChatGPT can go both ways - it can turn a "script-kiddie" into fully fledged hacker if vulnerabilities continue to be this sloppy. I am fairly certain that low-skill hacker sweatshops already heavily rely on LLMs to quickly exploit trivial vulnerabilities like these.
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
I would highly suggest to block JS while you're only browsing. It loads fast, most trackers won't load and better security as most browser exploits leverage JS all the time
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.
> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.
> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.
What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? I feel like the author is not being quite as candid in their account as they should probably be.
Sounds like Hack Club is doing a great job at preparing teenagers for the real world: nobody cares about the things you care about as much as you do. The most important skill to learn for the real world is to pick your battles. Using ChatGPT for legal advice is dumb, but it’s not your battle to fight.
Companies should quickly realize that ChatGPT can go both ways - it can turn a "script-kiddie" into fully fledged hacker if vulnerabilities continue to be this sloppy. I am fairly certain that low-skill hacker sweatshops already heavily rely on LLMs to quickly exploit trivial vulnerabilities like these.
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
I'm usually the type to be annoyed at hn people who nitpick about articles but.. this is unreadable.
Not sure if it is just me, but the background animation absolutely kill my browser (Chrome) and scrolling is _super_ laggy.
I'm using a high-end ThinkPad for CAD and it's slowing down the page for me too.
FWIW it's smooth on my $150 android shitbox.
the animation is so useless and doesnt add anything to the actual post
yes, had to use reader mode.
I would highly suggest to block JS while you're only browsing. It loads fast, most trackers won't load and better security as most browser exploits leverage JS all the time
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.
> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.
> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.
What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? I feel like the author is not being quite as candid in their account as they should probably be.
Sounds like Hack Club is doing a great job at preparing teenagers for the real world: nobody cares about the things you care about as much as you do. The most important skill to learn for the real world is to pick your battles. Using ChatGPT for legal advice is dumb, but it’s not your battle to fight.
It absolutely is their battle to fight. This organisation appears to be exploiting them and their data.
Agreed.
DEATH handing out swords to kids as Santa in the Hogfather is a funny joke, not an example to follow.