DrawAFish.com
TL;DR:
Incident Duration: ~6 hours (2AM–8AM EST)
~6 hours (2AM–8AM EST) Impact: Username vandalism (slurs) Offensive fish approved / safe fish removed
Root Causes: Legacy 6-digit admin password exposed in past data breach Username update API lacked authentication JWT not tied to specific user
Mitigation: Manual reversal of mod actions, fixed authorization logic, backups reviewed
Manual reversal of mod actions, fixed authorization logic, backups reviewed Takeaway: hwoopsy daisy 🙂
Did you see? Did you see it? What it says? What it says on top of the website?
If you were on HackerNews on Aug 1 2025, you may have seen DrawAFish.com. Because it was in the number 1 spot. You also may have seen it if you follow me on instagram. You also probably saw that I was in the #1 spot on Hackernews there too. Because I posted about it a lot. And also if you talked to me in person you probably heard about it. And then you probably heard a lot of quotes from The Social Network (2010) where I replaced various words with "Fish."
"A million fish isn't cool. You know what's cool? A billion fish."
... continue reading