It's def a hacker from a the incumbent because:
1) They took action after getting the Stripe key by refunding all customers
2) They drafted an email to all customers after a hack that got the mailing list and API route to send emails
3) Not once has the hacker asked for compensation of any kind nor a ransom
Not sure how to word this, but are you "new" on the internet? People used to break stuff "for the lulz" since the dawn of time.
I remember when I was a kid running a tiny forum with phpbb or something, and some script kiddies from g00nsquad (can't remember exact spelling, but something like that) defaced it. They didn't ask for money, they just did it for fun.
Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
> Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
I recall a while back there was a story here about a recipe app that used LLMs to generate recipes. It didn't took long before posters started showcasing recipes they tricked the LLM to generate, involving ingredients such as cyanide and computer chips.
The pull is always there.
My understanding has always been that most hackers do it for the fun/challenge/sport of it and it's only a small fraction who are in it for the money.
Breaking things is just fun for them and the internet is their video game.
Also the vibe I am getting from places like reddit/etc... is that it's currently open season on vibe coded apps. Lot's of internet points to be had for destroying them.
Breaking things is fun. Effectively stealing money (the refunds) is highly illegal, immoral, and malicious. Who knows who did it, but that aspect is just dickhead territory.
I wouldn't call that stealing. It is a forced refund. A hacker could even justify it to himself that these people were unknowingly paying for a shitty product that was built like Swiss cheese, time to give them a refund. Another plausible one is "this guy shouldn't be allowed to run a website, I can't believe he made money for it, it is going back".
I am not saying it is the most likely case or even ethically justified but it is definitely not a super unlikely one. Anyone who thinks that's an impossible scenario has not been in the hacker's shoes.
> I wouldn't call that stealing. It is a forced refund.
If someone took money out of your pocket would you call it stealing? What if they gave it to someone else, like a past employer or your parents or a humanitarian organization?
By the way, you should check a dictionary. The definition of "stealing" is literally taking something away without permission.
Being in the possession of a password or key implies having permission to use that key. When generating a key you give everyone with access to that key the permission to use it to perform actions on your account.
Protect your keys.
> Being in the possession of a password or key implies having permission to use that key.
No, it doesn't.
Yes, it does.
> Being in the possession of a password or key implies having permission to use that key
So if I get your house key I can use your bathroom?
Seriously, what hill are you trying to die on here?
Depends - did I hand it out at the street corner?
Nah, you left it under your door mat.
Would insurance cover that?
Does it matter?
Yes.
Refund or chargeback? The processing fees for a chargeback on every transaction could put him out of business.
He's lucky they didn't find a way to use it for card washing.
It would have had to be refund. The hacker could t initiate a chargeback from knowing the merchant's stripe keys. Seriously doubt it was a competitor. The risks of hiring someone to commit felons against your competitors just isn't worth it. Especially since the vibe coder seems to be bungling things on their own just fine.
How about you pay more attention to the story? It's not Visa/MasterCard or the customers that got hacked.
> I wouldn't call that stealing. It is a forced refund.
Respectfully, what the hell are you talking about?
Imagine you work 40 hours making an app and I pay you for those 40 hours. A third party comes in and says, I'm forcing a refund here - you lose the money you made, but you get the app you made.
How do you feel about this forced refund?
>I wouldn't call that stealing. It is a forced refund.
Can you name an instance of stealing that could not be described as a forced refund?
I don't see how any of that implies that an incumbent did it.
If you were a criminal trolling the Internet for vulnerable servers and found stripe keys... would your first instinct be to refund customers rather than do some other sort of crime? Like what's the motivation you envision here?
"Because I can" or "Because it's funny" are more than enough reason for most people. The fact that the hacker refunded all the customers, then emailed them to warn them that they were using a terrible app actually sounds like a pretty tame troll to me. If the hacker was truly hired by the competition to act maliciously, they could have done far, far worse.
Your friend should take this as a lesson instead of trying to deflect blame to their competitors.
> Because it's funny
I think you mean “for the lulz”
There are black hat hackers that take great joy in just causing as much chaos as possible, particularly with such vibe-coded apps. Even with stripe keys, it's not like they could direct money elsewhere.
Maybe a blackhat hacker decided that the software was so shoddily built that the company didn't deserve to continue existing, and decided to try to make that happen as a sort of vigilante justice against crappy vibe-coded apps.
Definitely not a good idea but it's not an unreasonable motivation.
Some people just want to watch the world burn :shrugs:
Fun and internet points!
[dead]
what was in this email though?
Hey all I’m an independent security researcher and I found that you are paying for an app that is shoddily built and doesn’t respect your privacy or security so I decided to give you all a refund. Have a nice day!
Telling customers it was built with AI and insecure.
Please don't consider becoming a judge. Also, try re-reading what you wrote a few times.