After the third update where the startup outlined their steps to fix the situation, the hacker added an addendum to their website with a link to the full incident report (in English). You can still find it on the web archive:
https://web.archive.org/web/20251008231051/https://security....
Direct link to the incident report (in English): https://anonfile.co/CZqiAMqc3sYyvHZ/file
The hacker accuses them of vibe coding their entire infrastructure and thus not understanding what they have created. And if only half of the content of the incident report is true, I am inclined to believe him. If you look at the founders and employees on LinkedIn, not even the CTO seems to have any IT-experience. Which in itself wouldn't be that big of a problem but they explicitly marketed their product as extremely secure and local. Seems very hypocritical to me to then not even give a second thought about securing your own infrastructure.
All in all with how they handle it, the startup seems to be just trying to save their image without really working on the flaws in their security, but here is hoping that I am wrong for the sake of their customers.
Some more links to news articles (in German): https://www.borncity.com/blog/2025/10/06/desaster-sicherheit... He did 3 parts on this, as apparently the hacker contacted him directly with insider information.
https://www.derstandard.at/story/3100000291066/localmind-sic...
https://www.heise.de/news/Sensible-Unternehmensdaten-ueber-S...
tobwen•3mo ago
This summary outlines the key events and remediation actions from the official incident reports published by Localmind.ai between October 5 and October 9, 2025.
Incident overview and initial response (October 5)
On October 5, 2025, at 05:43 CEST, Localmind detected unauthorized access to its systems. The immediate response was to take all affected systems, including internal platforms and customer instances, offline to contain the breach. Initial measures included:
Root cause analysis (October 5, Update #2)The breach originated from a misconfiguration in an externally accessible beta-test instance. The flaw granted administrator privileges by default to a newly registered account. The attacker used this access to:
The company stated that internal processes and control mechanisms failed and accepted full responsibility for the incident.Impact assessment and forensic Updates
Remediation and security hardening measuresThe company initiated a comprehensive infrastructure rebuild and security overhaul.
Subsequent Attack Attempt (October 9)On October 9, Localmind reported a renewed attempt to gain unauthorized access. The new security measures successfully blocked these attacks. The only confirmed impact was a brief, unauthorized text modification on a separately hosted, external development website, which was promptly reverted. The company attributes this attempt to the same threat actor.
Status as of latest update (October 9, 2025)
Systems were in a phased, controlled restart process, with customers being kept informed. The company continues to work on audits and security fortifications.
Sources (as Mementos)
<https://web.archive.org/web/20250000000000*/https://www.loca...> <https://web.archive.org/web/20250000000000*/https://security...>
sofixa•3mo ago
Notion being a SaaS, there is always a risk of some misconfiguration or breach leaking the information from it.
tobwen•3mo ago
PufPufPuf•3mo ago
sofixa•3mo ago
There is no good reason to keep secrets in clear text in a doc/code repo/knowledge base.