Full Report
Plus: A ransomeware gang steals data on 8,000 preschoolers, Microsoft blocks Israel’s military from using its cloud for surveillance, call-recording app Neon hits pause over security holes, and more.
Analysis Summary
# Incident Report: Doxing Platform Accidentally Leaks User Data
## Executive Summary
The application "Cancel the Hate," designed to expose personal information (dox) critics of the late Charlie Kirk, suffered a significant security failure. Due to non-functional privacy settings on its hosting website, the application inadvertently leaked the personal contact information (email addresses and phone numbers) of its own users to the public. The application's services have since been suspended while it purportedly seeks a new service provider.
## Incident Details
- Discovery Date: This week (as of Sep 27, 2025)
- Incident Date: During the operational period of the "Cancel the Hate" app.
- Affected Organization: "Cancel the Hate" application/platform.
- Sector: Social/Political Activism Platform.
- Geography: Not specified, but implied US focus due to the subject matter.
## Timeline of Events
### Initial Access (N/A - This was an internal application flaw)
- Date/Time: Prior to discovery.
- Vector: Security flaw in the hosting website's privacy controls.
- Details: The website hosting the app failed to properly enforce privacy settings, publicly exposing user data regardless of the user's chosen configuration.
### Lateral Movement
- Not applicable/Observed. The primary incident was unauthorized data exposure due to configuration failure.
### Data Exfiltration/Impact
- Direct data leakage of user PII (email addresses and phone numbers). A security researcher ("BobDaHacker") demonstrated the vulnerability.
- The attacker/researcher reportedly also had the ability to delete user accounts at will.
### Detection & Response
- Detection: A security researcher identified the exploit and demonstrated the flaw to Straight Arrow News.
- Response Actions: The application suspended its primary reporting/doxing features and displayed a message indicating a move to a "new service provider." The T-shirt sales page remains active.
## Attack Methodology
- Initial Access: N/A (Internal configuration vulnerability)
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: Public demonstration by security researcher 'BobDaHacker'.
- Lateral Movement: N/A
- Collection: Public exposure of user data stored on the platform.
- Exfiltration: Data was publicly accessible due to misconfigured privacy settings.
- Impact: Doxing of the platform's own users.
## Impact Assessment
- Financial: Not specified, though the platform was selling merchandise ($23 T-shirts).
- Data Breach: Exposure of users' email addresses and phone numbers. The volume is unspecified but represents the entire user base of those who contributed data.
- Operational: The core doxing functionality of the app was shut down/suspended.
- Reputational: Significant reputational damage to an organization founded on protecting user privacy while achieving ideological goals.
## Indicators of Compromise
- Network indicators: None provided (Defanged URLs/IPs cannot be listed).
- File indicators: None provided.
- Behavioral indicators: Failure of privacy settings to validate user selections, leading to unauthorized public data dissemination.
## Response Actions
- Containment measures: Suspension of the application's reporting/doxing features.
- Eradication steps: Unknown if this was fully eradicated, as the main site remains online with an announcement of moving providers.
- Recovery actions: A message suggesting migration to a "new service provider."
## Lessons Learned
- Key takeaways: Applications designed for sensitive operations, especially those involving exposing third parties, require rigorous and correctly configured access controls and privacy validation. Never trust default or "private" settings to function without explicit testing beforehand.
- What could have been done better: Perform thorough security audits, particularly penetration testing on access control and privacy mechanisms, before launching or collecting PII.
## Recommendations
- Implement strict input and configuration validation to ensure privacy settings function as intended before publishing data.
- Do not rely on third-party hosting security if the application handles sensitive user input; ensure security layers are layered and redundant.
- If the platform's primary mission depends on user anonymity or secrecy, consider alternative, more secure methods than leveraging flawed public website privacy options.