|Under certain error conditions, a bug in our API code briefly published 84
users' usernames, email addresses, password hashes, and 100 most recent votes.
This information appeared at https://hacker-news.firebaseio.com/v0/updates. We
notified affected users on Monday, November 10th via email and (for users
without email addresses in their profile) on Tuesday the 11th via a message in
the site header.|
Affected profiles were leaked on one of 10/12, 10/20, or 11/02. In every case,
the leaked data was overwritten 30 seconds later by the subsequent update
batch. The leaked password hashes were salted bcrypt (FreeBSD's default
libcrypt implementation). Though we think the risk is low we encouraged
affected users to change their password on HN as well as on any other sites
where they used the same password.
Many thanks to Ovidiu Toader for alerting us to the bug and for sending us
examples that assisted us in tracking it down. While the bug was fixed on
Sunday, November 9th within minutes of our becoming aware of it, Ovidiu
originally reported the issue one week prior - we just didn't see it in a
To help improve our future response times, we've created a dedicated reporting
address, email@example.com that we'll publish on our contact form.
We're also creating a "Wall of Fame" to properly thank and credit past and
future vulnerability reporters. More details will follow.
Super sorry about this,
The Hacker News Team
A clarification, since some people seem to be misunderstanding: Only publicly available data is intentionally pushed to Firebase. That any part of a user's profile other than their username, account age, about text, and list of submitted items was published IS THE BUG, and is now fixed.