Fireflies.ai is exposing US government emails and private meeting recordings to anyone on the internet. Zero authentication. I found 44 .gov employee emails from a single city agency through one API call. No login. No token. Nothing.

Their GraphQL API returns full participant emails, meeting recordings, and AI-generated summaries to anyone who queries it. I had to censor the data myself.

This is not limited to one organization. I found over 200 meeting IDs already indexed on public threat intel platforms like AlienVault OTX and Disney. These are meetings from companies and agencies across the world, all queryable through the same zero-auth API.

Fireflies sends meeting links via email, Slack, and calendar invites. Those URLs get indexed by automated scanners and end up in public databases. The meeting ID was never the security layer. There is no security layer.

Some of the meetings Fireflies is exposing with zero authentication:

- US government agency meetings (Peace Corps, city government branches)
- Healthcare company meetings (Cardinal Health)
- National trade committees (CII National Committee on Exports, India)
- Corporate strategy meetings referencing Disney
- Cybersecurity assessment calls (the irony)
- HR open enrollment meetings with employee benefits data

All returned creator emails and meeting data from a single unauthenticated API call.

I reported this to Fireflies on April 7th. They acknowledged it and asked me to submit through HackerOne. I filled out their own bug bounty form at instead. fireflies.ai/bug-bounty