Wow! Just wow! Just as I think the situation cannot get any worse, the OP reveals even worse things going on. I know the UX of this blog and the lack of capitalization is going to turn many people off! But I urge you to power through and read the whole OP anyway.
Use reader mode, block Javascript or whatever it takes. Give the author a break. They're a teenager. What kind of websites were you making as a teenager? I'm sure one of those dark background websites with MARQUEEs and BLINKs with glaring contrast colors! So give them a break. Behind the annoying UX is an article about serious and appalling privacy and security issues.
Like read this:
> i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.
Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure. So I don't 100% agree with the OP but the cavalier attitude towards security coming from the staff of a legitimate organization is appalling.
It's just mind boggling that an organization handling PII data has such appalling privacy and security lapses and they still remain arrogantly indignant about it making bold claims about laws they don't understand, why, because ChatGPT told them so? Cherry on top is they are employing teenagers to answer legal questions! Not kidding! Just read the OP! Unbelievable!
My child has been involved in Hack Club for a number of years, and I support their mission. However, HC do seem to be lacking in "adult supervision", and I understand that is kind of their approach: having the kids figure stuff out on their own. However, there are things that kids, due to lack of experience, just can't figure out for themselves. For example, the reliance on ChatGPT and reluctance to use professional SMEs is a very "immature" attitude.
This sort of cavalier attitude is going to get them in trouble; I'm honestly surprised that this hasn't already gotten them into trouble. Hack Club has enough money that they can easily be a worthwhile target if any of their decisions turns out badly.
I'm going to be a bit oblique here because I don't want HC to take this out on my child, but at one of the HC events, the "figure it out for yourselves" lead to our child making decisions and taking actions that could have very easily turned into life threatening. Another situation led to our child being "ditched" in a foreign city and unsure how to get ahold of anyone on the ground to help.
Hack Club is a great idea, and I'm glad it exists, but I do think that the way it is currently organized is going to end badly.
As someone who is part of the Hack Club community, I would urge caution before blindly trusting this account.
- This person has also used their access to attempt to extort the admins and their Airtable data, demanding a bounty payment for access they were previously given.
- In her arguments about the program leads earning higher bounties, they had said that they both did bounties for Coinbase and Google, neither of which being non-profits
- Many of her arguments are flawed in other ways.
Theo (yes the ffmpeg guy) also commented on it in a livestream, and I would just point to that:
> This feels really in the weeds of something we are not supposed to see externally. It is a lot of writing for what seems like clueless people doing backend
They created a new website just for this topic, and named it "kill yourself LLC". Not something you'd do if you wanted to be taken seriously, just IMO. Smells more like a KiwiFarms user.
However there's still no excuse for these problems if they are describing it correctly. When you're storing the home address of thousands of users, (1) you shouldn't do that at all for this type of organisation and (2) you should be very careful to protect it and (3) the first several times it gets stolen, you should think harder about whether your protection is working and there should never be a several+1th time.
Companies should quickly realize that ChatGPT can go both ways - it can turn a "script-kiddie" into fully fledged hacker if vulnerabilities continue to be this sloppy. I am fairly certain that low-skill hacker sweatshops already heavily rely on LLMs to quickly exploit trivial vulnerabilities like these.
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
For all of you discussing the chatgpt, this was after borderline harassing an intern who quoted ChatGPT as a joke in her DMs. There was no legal advice. There used to be a previous version with receipts and screenshots if I remember correctly, with very, very extensive discussions within Hack Club (to the order of thousands of messages of critical discussion).
Please take what's said here with a grain of salt. This is the same person who attempted to extort Hack Club out of thousands by using an airtable token they previously had (all tokens have since been examined as to whether they are truly necessary).
> another asked: "if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"
> the answer from most people was a resounding no.
Popular request is for the program to be expanded. I don't know about the "resounding no".
> teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.
It isn't a full-time job.
> email compliance failures
Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
I could keep going, but the raw truth is that this misses a lot of context for independent observers.
It's an article by a teenager. We weren't making any great websites as teenagers either. I remember websites with glaring contrast and moving marquees and blinks everywhere. At least the author here writes full words without abbreviating every word. So the author is already writing better than what I wrote as a teenager.
May I suggest you use reader mode to remove the annoying flashing background? If you can get past the annoying UX of the article, it has interesting stories about serious issues.
> Hack Club has been handling children's data for 4 years without a privacy policy
The title doesn't make is sound bad.
I mean, besides lawyers, who cares if some legal document is missing. You can respect privacy without a privacy policy, plenty of people do.
Here, it seems the actual problem is that there is no adult in the room, literally. Just kids that are completely clueless about how to care about personal data. Here, "no privacy policy" doesn't just mean "we dislike paperwork", it means "we are letting kids play with personal data without adult supervision".
I participated in a few hackathons early in my career. I quickly realized that I wasn't benefitting at all from participating in them. In fact, they were a great way to fall behind in the work I actually needed to get done. Those organizing the hackathons on the other hand...
I'm not at all surprised that people are trying to program young teenage minds to think hackathons are a good pathway to advancing one's tech skills / career. Nor am I surprised to hear all of the sketchy behavior surrounding this organization and their leadership. It all fits very nicely together.
Hackathons can be fun. And I think that people should try and do one or two when they are in college (ideally run by a university, not a shady 3rd party). The microsoft puzzle challenge (idk if that still exists) is also great. These are fun, give you a bit of networking, probably wont get you a job. Your university work gets you a job.
As someone who has co-founded and co-organized a leaderful non-hierarchical community that has lasted 10 years of weekly hacknights (we've literally never missed a week) and many generations of stewards... I've done reflection on the value of messiness/disorder and "aggressively relaxed" constraints. I sometimes tongue-in-cheek describe myself as having some meagre expertise in "operationalising anarchy", which is only half a joke :)
I suspect the things this author is critiquing and the internal resistance to it is DIRECTLY related to the wonderful things this org can do and how it operates.
I'm of the belief that you can't truly love a thing without loving its mother. This applies to orgs as it does all creatures undergoing evolutionary processes. If you do straddle this belief tension, you perhaps love something other than the thing you thought you loved. And this other thing you love will eventually take shape under your care and watch. Which is nice, that "what we put our attention on grows".[1]
So obviously, you are permitted to love a thing and take issue with its incubating process/culture, but I would suggest you're the site of contradiction that has some explaining to do. If you win and change the process of the thing you love, the thing you love is on a new path toward being something else. And maybe that's fine. A new seed will grow in the empty space. People probably need to have a thing to love that looks like the thing you loved. It will be back.
But there's some other healthy dissonance here that the author isn't grasping. I would say this to them: You are the bringer of the end of what you love, not its saviour. It's all good -- these transitions happen, and in a more zen sense, it can come to pass without [my] judgement. But just please understand your role. You're not a hero, you're a death. Maybe a healthy one, but a death all the same. The thing you love perhaps won't survive your care.
To be clear, I have very mixed feelings. The critiques are valid, but I wish I could acknowledge them without compulsion to demand an action. I think orgs that work like this need to stay small, only scale horizontally (inspiring/supporting other sister orgs to grow), and resist any central/vertical scaling that brings you under the rules and norms that they are desperately trying to steer clear of, but are now accountable to (according to our shared societal values).
I have a RTX Pro 6000 as my main GPU currently, and this website pins it to ~40% utilization! Never seen a website do that before, some sort of kudos to the webmaster is deserved.
It still renders smoothly though and doesn't go above 40C so I guess it could have been worse.
With that website open, runs at 2850 MHz to be specific, it normally idles at 400-500 MHz with ~20 processes (firefox, gnome-shell, alacritty, etc, etc) using the GPU
I would highly suggest to block JS while you're only browsing. It loads fast, most trackers won't load and better security as most browser exploits leverage JS all the time
Exactly this. I was surprised to see these comments and then I realized that NoScript blocked the JS (as it should have). The web is so much nicer without JS.
I expected this to happen. I knew people who were involved in the organization who were unnecessarily chummy to TPOT/Postrat/FTX culture before it blew up.
No idea why this was flagged. This is a really good article in terms of both form and content and I was very surprised to learn that the author is actually also a teenager.
I get it, some people dislike the appearance but c'mon, this is HN. If we can use vi(1) on a 80 column terminal, reading an html page is not an impossible task.
As a union organizer with Hack Club staff, this is only the surface - the things that are clear to the end consumer. It gets a whole lot worse on the inside; from payment below minimum wage, mandatory overtime beyond child labor law, hiring kids as contractors to deny them rights, union busting & retaliation and a blatant disrespect for members and community democracy despite pretending to be `teen-led.` I'm not going to re-hash the whole thing here, I've written an article on my blog, but Hack Club is a deeply misleading "charity" that suckers teens in trying to build a better world and funnels them towards supporting our ever-rapid decline into techno-fascism at the hands of the wealthy elite funding them.
This user was banned from Hack Club for attempting to stage an "uprising" against the org, and has also engaged in tactics like Wikipedia vandalism. I would not take their word for being "a union organizer with Hack Club staff", although their blog does make several good points (https://place.reeseric.ci/writings/2024-05-05/)
If they're ignoring GDPR because they're in the US, you can potentially flag these as COPPA violations. COPPA is serious stuff. Courts can fine over $50k for each violation, where each individual impacted can be considered a unique violation. COPPA applies to under 13s, I'm not sure if there are age restrictions in place to join Hack Club, but if there isn't even a privacy policy, I doubt age restrictions are properly enforced.
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.
> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.
> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.
What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? It feel like the author is not being quite as candid in their account of the events as one would hope.
> yep. no auth. just an email parameter. and what did it return?
> full names. emails. phone numbers. flight receipts. all just by passing an email address in a URL.
> i reported it through their security bounty program, made a bug fix pr (because apparently that's how you get things done around here), and maybe made the slight mistake of sharing the vulnerable endpoint in that group chat - which less than 10 people saw, for what that's worth.
The author then proceeds:
> their security bounty program states minimum payouts for this kind of thing start around $150. but exposing passport numbers (which are classed as government documents) should bump it up significantly. apparently "responsible disclosure" means "don't tell anyone, even in a private chat" so they docked the entire payout.
I'm not sure why they're being seemingly sarcastic about responsible disclosure. Yes, responsible disclosure absolutely means that you disclose this to the vendor before disclosing it to anyone else. As someone who works as a penetration tester and security researcher (both at work and in my free time), in my opinion, there should be no confusion about what responsible disclosure is. You disclosing the vulnerability in public before the vendor has had the chance to fix or apparently even triage it is not "responsible disclosure" or a "slight mistake".
It sounds like the author started off by telling them they're doing illegal stuff. It's unclear if it's actually illegal or not.. but they naturally got the other side defensive and tried to avoid the author
If instead they framed it in terms of "hey you guys are sharing stuff you probably didn't mean to" then the reaction would have likely been different
I'm not going to pretend this is an easy read. So I wouldn't blame you if you stopped early. However, there's a section titled "the surveillance infrastructure (orpheus engine)" which claims that children's private information is being distributed to third-parties without consent.
Sounds like Hack Club is doing a great job at preparing teenagers for the real world: nobody cares about the things you care about as much as you do. The most important skill to learn for the real world is to pick your battles. Using ChatGPT for legal advice is dumb, but it’s not your battle to fight.
Who cares? I mean, obviously this author, but pointing out "GDPR this" and "GDPR that" isn't going to make a difference or move the needle. Many companies have given up on GDPR - I've made requests and had blanket refusals to provide data.
Report them, you say? Many DPC's such as the Irish DPC are very friendly in terms of their lax approach to the regulation, just ask Max Schrems, he's been at this for years. I think the EU and the regulators do not have resources to enforce the law, so whilst there are requirements to protect customer data, nothing bad happens if you don't. Just check the top of HN as I write this [1] "Checkout.com hacked, refuses ransom payment, donates to security labs". Will anyone be arrested, charged, fined, or otherwise penalized? Nope, not a chance. I 100% guarantee absolutely nothing will happen as a result of this article. GPT makes it so easy to capture user data these days and people will just willingly hand it over.
The truth is, you should be very careful what data you hand out, always. Use an alias, use privacy tools, always be weary and check if they have a privacy policy, check to see if it works (make a dummy account, do GDPR request, if no reply, be weary).
If they are not serious about privacy, stop, think and act accordingly. While it is a disgrace what these individuals have done, individuals need to take personal responsibility just as in a real world, would you trust a random stranger giving you pills? Hopefully not!
Wow! Just wow! Just as I think the situation cannot get any worse, the OP reveals even worse things going on. I know the UX of this blog and the lack of capitalization is going to turn many people off! But I urge you to power through and read the whole OP anyway.
Use reader mode, block Javascript or whatever it takes. Give the author a break. They're a teenager. What kind of websites were you making as a teenager? I'm sure one of those dark background websites with MARQUEEs and BLINKs with glaring contrast colors! So give them a break. Behind the annoying UX is an article about serious and appalling privacy and security issues.
Like read this:
> i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.
Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure. So I don't 100% agree with the OP but the cavalier attitude towards security coming from the staff of a legitimate organization is appalling.
It's just mind boggling that an organization handling PII data has such appalling privacy and security lapses and they still remain arrogantly indignant about it making bold claims about laws they don't understand, why, because ChatGPT told them so? Cherry on top is they are employing teenagers to answer legal questions! Not kidding! Just read the OP! Unbelievable!
> Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure.
At least California defines it as
> unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
https://oag.ca.gov/privacy/databreach/reporting
My child has been involved in Hack Club for a number of years, and I support their mission. However, HC do seem to be lacking in "adult supervision", and I understand that is kind of their approach: having the kids figure stuff out on their own. However, there are things that kids, due to lack of experience, just can't figure out for themselves. For example, the reliance on ChatGPT and reluctance to use professional SMEs is a very "immature" attitude.
This sort of cavalier attitude is going to get them in trouble; I'm honestly surprised that this hasn't already gotten them into trouble. Hack Club has enough money that they can easily be a worthwhile target if any of their decisions turns out badly.
I'm going to be a bit oblique here because I don't want HC to take this out on my child, but at one of the HC events, the "figure it out for yourselves" lead to our child making decisions and taking actions that could have very easily turned into life threatening. Another situation led to our child being "ditched" in a foreign city and unsure how to get ahold of anyone on the ground to help.
Hack Club is a great idea, and I'm glad it exists, but I do think that the way it is currently organized is going to end badly.
As someone who is part of the Hack Club community, I would urge caution before blindly trusting this account.
- This person has also used their access to attempt to extort the admins and their Airtable data, demanding a bounty payment for access they were previously given. - In her arguments about the program leads earning higher bounties, they had said that they both did bounties for Coinbase and Google, neither of which being non-profits - Many of her arguments are flawed in other ways.
Theo (yes the ffmpeg guy) also commented on it in a livestream, and I would just point to that:
> This feels really in the weeds of something we are not supposed to see externally. It is a lot of writing for what seems like clueless people doing backend
>As someone who is part of the Hack Club community, I would urge caution before blindly trusting this account.
As the parent of a Hack Clubber, a lot of what is said here rings true to our experience with the Hack Club leadership.
They created a new website just for this topic, and named it "kill yourself LLC". Not something you'd do if you wanted to be taken seriously, just IMO. Smells more like a KiwiFarms user.
However there's still no excuse for these problems if they are describing it correctly. When you're storing the home address of thousands of users, (1) you shouldn't do that at all for this type of organisation and (2) you should be very careful to protect it and (3) the first several times it gets stolen, you should think harder about whether your protection is working and there should never be a several+1th time.
Companies should quickly realize that ChatGPT can go both ways - it can turn a "script-kiddie" into fully fledged hacker if vulnerabilities continue to be this sloppy. I am fairly certain that low-skill hacker sweatshops already heavily rely on LLMs to quickly exploit trivial vulnerabilities like these.
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
For all of you discussing the chatgpt, this was after borderline harassing an intern who quoted ChatGPT as a joke in her DMs. There was no legal advice. There used to be a previous version with receipts and screenshots if I remember correctly, with very, very extensive discussions within Hack Club (to the order of thousands of messages of critical discussion).
Please take what's said here with a grain of salt. This is the same person who attempted to extort Hack Club out of thousands by using an airtable token they previously had (all tokens have since been examined as to whether they are truly necessary).
> another asked: "if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"
> the answer from most people was a resounding no.
Popular request is for the program to be expanded. I don't know about the "resounding no".
> teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.
It isn't a full-time job.
> email compliance failures
Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
I could keep going, but the raw truth is that this misses a lot of context for independent observers.
I'm usually the type to be annoyed at hn people who nitpick about articles but.. this is unreadable.
It's an article by a teenager. We weren't making any great websites as teenagers either. I remember websites with glaring contrast and moving marquees and blinks everywhere. At least the author here writes full words without abbreviating every word. So the author is already writing better than what I wrote as a teenager.
May I suggest you use reader mode to remove the annoying flashing background? If you can get past the annoying UX of the article, it has interesting stories about serious issues.
> Hack Club has been handling children's data for 4 years without a privacy policy
The title doesn't make is sound bad.
I mean, besides lawyers, who cares if some legal document is missing. You can respect privacy without a privacy policy, plenty of people do.
Here, it seems the actual problem is that there is no adult in the room, literally. Just kids that are completely clueless about how to care about personal data. Here, "no privacy policy" doesn't just mean "we dislike paperwork", it means "we are letting kids play with personal data without adult supervision".
I participated in a few hackathons early in my career. I quickly realized that I wasn't benefitting at all from participating in them. In fact, they were a great way to fall behind in the work I actually needed to get done. Those organizing the hackathons on the other hand...
I'm not at all surprised that people are trying to program young teenage minds to think hackathons are a good pathway to advancing one's tech skills / career. Nor am I surprised to hear all of the sketchy behavior surrounding this organization and their leadership. It all fits very nicely together.
Hackathons can be fun. And I think that people should try and do one or two when they are in college (ideally run by a university, not a shady 3rd party). The microsoft puzzle challenge (idk if that still exists) is also great. These are fun, give you a bit of networking, probably wont get you a job. Your university work gets you a job.
As someone who has co-founded and co-organized a leaderful non-hierarchical community that has lasted 10 years of weekly hacknights (we've literally never missed a week) and many generations of stewards... I've done reflection on the value of messiness/disorder and "aggressively relaxed" constraints. I sometimes tongue-in-cheek describe myself as having some meagre expertise in "operationalising anarchy", which is only half a joke :)
I suspect the things this author is critiquing and the internal resistance to it is DIRECTLY related to the wonderful things this org can do and how it operates.
I'm of the belief that you can't truly love a thing without loving its mother. This applies to orgs as it does all creatures undergoing evolutionary processes. If you do straddle this belief tension, you perhaps love something other than the thing you thought you loved. And this other thing you love will eventually take shape under your care and watch. Which is nice, that "what we put our attention on grows".[1]
So obviously, you are permitted to love a thing and take issue with its incubating process/culture, but I would suggest you're the site of contradiction that has some explaining to do. If you win and change the process of the thing you love, the thing you love is on a new path toward being something else. And maybe that's fine. A new seed will grow in the empty space. People probably need to have a thing to love that looks like the thing you loved. It will be back.
But there's some other healthy dissonance here that the author isn't grasping. I would say this to them: You are the bringer of the end of what you love, not its saviour. It's all good -- these transitions happen, and in a more zen sense, it can come to pass without [my] judgement. But just please understand your role. You're not a hero, you're a death. Maybe a healthy one, but a death all the same. The thing you love perhaps won't survive your care.
To be clear, I have very mixed feelings. The critiques are valid, but I wish I could acknowledge them without compulsion to demand an action. I think orgs that work like this need to stay small, only scale horizontally (inspiring/supporting other sister orgs to grow), and resist any central/vertical scaling that brings you under the rules and norms that they are desperately trying to steer clear of, but are now accountable to (according to our shared societal values).
[1]: http://adriennemareebrown.net/2012/08/09/giftingmyattention/
I don't understand the UX complaints? I thought we needed to re-wild the web and do more weird shit when we feel like it?
Not sure if it is just me, but the background animation absolutely kill my browser (Chrome) and scrolling is _super_ laggy.
The worst part to me is the lack of a scroll bar. Had to dust off the pgup/pgdown keys to check my progress in the article.
I have a RTX Pro 6000 as my main GPU currently, and this website pins it to ~40% utilization! Never seen a website do that before, some sort of kudos to the webmaster is deserved.
It still renders smoothly though and doesn't go above 40C so I guess it could have been worse.
40% might just mean nothing because your core is probably not running at full clock.
With that website open, runs at 2850 MHz to be specific, it normally idles at 400-500 MHz with ~20 processes (firefox, gnome-shell, alacritty, etc, etc) using the GPU
>13 years old hardware, Linux, Chromium-based browser, seems fine to me.
FWIW it's smooth on my $150 android shitbox.
I'm using a high-end ThinkPad for CAD and it's slowing down the page for me too.
I would highly suggest to block JS while you're only browsing. It loads fast, most trackers won't load and better security as most browser exploits leverage JS all the time
Exactly this. I was surprised to see these comments and then I realized that NoScript blocked the JS (as it should have). The web is so much nicer without JS.
the animation is so useless and doesnt add anything to the actual post
I had no performance problems on my Thinkpad T410.
Oh wait, it's because it is too old to have WebGL support so the background crashed and thus consumed no processing power.
yes, had to use reader mode.
I expected this to happen. I knew people who were involved in the organization who were unnecessarily chummy to TPOT/Postrat/FTX culture before it blew up.
Also see https://web.archive.org/web/20250920074405/https://ella.ad/p...
No idea why this was flagged. This is a really good article in terms of both form and content and I was very surprised to learn that the author is actually also a teenager.
I get it, some people dislike the appearance but c'mon, this is HN. If we can use vi(1) on a 80 column terminal, reading an html page is not an impossible task.
As a union organizer with Hack Club staff, this is only the surface - the things that are clear to the end consumer. It gets a whole lot worse on the inside; from payment below minimum wage, mandatory overtime beyond child labor law, hiring kids as contractors to deny them rights, union busting & retaliation and a blatant disrespect for members and community democracy despite pretending to be `teen-led.` I'm not going to re-hash the whole thing here, I've written an article on my blog, but Hack Club is a deeply misleading "charity" that suckers teens in trying to build a better world and funnels them towards supporting our ever-rapid decline into techno-fascism at the hands of the wealthy elite funding them.
This user was banned from Hack Club for attempting to stage an "uprising" against the org, and has also engaged in tactics like Wikipedia vandalism. I would not take their word for being "a union organizer with Hack Club staff", although their blog does make several good points (https://place.reeseric.ci/writings/2024-05-05/)
More transparency on the background of this poster: https://hackmd.io/@alexjs/Bkm1KIpxR
Data privacy should not be optional.
If they're ignoring GDPR because they're in the US, you can potentially flag these as COPPA violations. COPPA is serious stuff. Courts can fine over $50k for each violation, where each individual impacted can be considered a unique violation. COPPA applies to under 13s, I'm not sure if there are age restrictions in place to join Hack Club, but if there isn't even a privacy policy, I doubt age restrictions are properly enforced.
Hack Club realized this, and now doesn’t allow anyone under the age of 13 to participate in its programs (COPPA doesn’t apply to people over 13).
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.
> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.
> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.
What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? It feel like the author is not being quite as candid in their account of the events as one would hope.
Their other blog post[1] shares some more information which seems like it's relevant.
From the post:
> then i found this one:
> https://juice.hackclub.com/api/get-roommate-data?email=dont@...
> yep. no auth. just an email parameter. and what did it return?
> full names. emails. phone numbers. flight receipts. all just by passing an email address in a URL.
> i reported it through their security bounty program, made a bug fix pr (because apparently that's how you get things done around here), and maybe made the slight mistake of sharing the vulnerable endpoint in that group chat - which less than 10 people saw, for what that's worth.
The author then proceeds:
> their security bounty program states minimum payouts for this kind of thing start around $150. but exposing passport numbers (which are classed as government documents) should bump it up significantly. apparently "responsible disclosure" means "don't tell anyone, even in a private chat" so they docked the entire payout.
I'm not sure why they're being seemingly sarcastic about responsible disclosure. Yes, responsible disclosure absolutely means that you disclose this to the vendor before disclosing it to anyone else. As someone who works as a penetration tester and security researcher (both at work and in my free time), in my opinion, there should be no confusion about what responsible disclosure is. You disclosing the vulnerability in public before the vendor has had the chance to fix or apparently even triage it is not "responsible disclosure" or a "slight mistake".
[1] - https://kys.llc/blog/oops-leaked-your-passport
It sounds like the author started off by telling them they're doing illegal stuff. It's unclear if it's actually illegal or not.. but they naturally got the other side defensive and tried to avoid the author
If instead they framed it in terms of "hey you guys are sharing stuff you probably didn't mean to" then the reaction would have likely been different
Asking AI to give free legal advice is a special kind of stupid.
> i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint.
Headline really buries the lede: this is the issue, not some missing ToS boilerplate.
The map is not the territory, the security policy is not the security.
I'm not going to pretend this is an easy read. So I wouldn't blame you if you stopped early. However, there's a section titled "the surveillance infrastructure (orpheus engine)" which claims that children's private information is being distributed to third-parties without consent.
Sounds like Hack Club is doing a great job at preparing teenagers for the real world: nobody cares about the things you care about as much as you do. The most important skill to learn for the real world is to pick your battles. Using ChatGPT for legal advice is dumb, but it’s not your battle to fight.
It absolutely is their battle to fight. This organisation appears to be exploiting them and their data.
Agreed.
DEATH handing out swords to kids as Santa in the Hogfather is a funny joke, not an example to follow.
Who cares? I mean, obviously this author, but pointing out "GDPR this" and "GDPR that" isn't going to make a difference or move the needle. Many companies have given up on GDPR - I've made requests and had blanket refusals to provide data.
Report them, you say? Many DPC's such as the Irish DPC are very friendly in terms of their lax approach to the regulation, just ask Max Schrems, he's been at this for years. I think the EU and the regulators do not have resources to enforce the law, so whilst there are requirements to protect customer data, nothing bad happens if you don't. Just check the top of HN as I write this [1] "Checkout.com hacked, refuses ransom payment, donates to security labs". Will anyone be arrested, charged, fined, or otherwise penalized? Nope, not a chance. I 100% guarantee absolutely nothing will happen as a result of this article. GPT makes it so easy to capture user data these days and people will just willingly hand it over.
The truth is, you should be very careful what data you hand out, always. Use an alias, use privacy tools, always be weary and check if they have a privacy policy, check to see if it works (make a dummy account, do GDPR request, if no reply, be weary).
If they are not serious about privacy, stop, think and act accordingly. While it is a disgrace what these individuals have done, individuals need to take personal responsibility just as in a real world, would you trust a random stranger giving you pills? Hopefully not!
[1]: https://news.ycombinator.com/item?id=45912698