Webflow Incident Report

https://webflow.com/blog/july-28-webflow-incident-report

7•philip1209•6mo ago

Comments

PaulHoule•6mo ago

Is there any attacker who isn’t malicious?

altairprime•6mo ago

I once caused a 10Gbit DDoS of our own services with a typo in a code library. The attack turned out not be malicious at all! Once could say that it was, then, no longer an attack — but it was until we understood it :)

swat535•6mo ago

Reading the page, I'm not sure what Webflow could have done better here.

DDoS attacks are hard to mitigate and it looks like they are throwing money at the problem to scale up, which is the best you can do to survive future attacks.

srcoder•6mo ago

I am a little angry with these kind of write-ups where they point a lot at others (bad actors, malicious traffic) instead of admitting a problem in the software. I cannot imagine that you piss of somebody that much that this actor will only focus on one piece of your platform (again and again)

I've done many large database migrations which involved adding or removing indexes which included full table locking and they often lead to (accounted) downtime.

---

My honest take on this...

Most probably their regular user signup just wasn't protected well enough with captcha or CSRF and created some background processes that piled up on tables lacking some indexes which finally became a visible bottleneck.

They assumed bad traffic, so took the wrong turn. (WAF)

After they "implemented a fix" which should add an index to a large table that took down the database server because of table locking. This also doesn't recover after an abort.

Next up, UPGRADE OUR DB SERVER, and db table cache is gone, hence disabling user logging to allow to get a warm start. Didn't work, DOWNGRADE OUR DB SERVER, same thing repeats.

---

No bad actors involved.

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS