Key findings:
- 71 companies with accessible databases audited
- 20.1M rows exposed to anonymous access
- 28% leaking PII (emails, names, user data)
- 6 companies exposing auth tokens
This was coordinated with YC and Supabase security teams.
The root cause is almost always the same: developers create new tables and forget to enable RLS. The anon key is public by design—security comes entirely from Row-Level Security policies.
Happy to answer questions about methodology or findings.
victor_y•1h ago
Key findings: - 71 companies with accessible databases audited - 20.1M rows exposed to anonymous access - 28% leaking PII (emails, names, user data) - 6 companies exposing auth tokens
This was coordinated with YC and Supabase security teams.
The root cause is almost always the same: developers create new tables and forget to enable RLS. The anon key is public by design—security comes entirely from Row-Level Security policies.
Happy to answer questions about methodology or findings.