Tucker Carlson's subscriber database has no access controls. Newsmax was leaking subscriber names and zip codes to anyone who queried an email. Patrick Bet-David's app exposes 290,000 home addresses with zero authentication. Alex Jones' platform lets you pull any user's viewing history.

i reported all four over a month ago. none of them responded. one of them had already been breached before i got there.

Patrick Bet David runs Minnect, a paid advice platform. 290,000+ users. i opened one endpoint. no login. no token. no authentication of any kind.

the response contains full user records. real names. real home street addresses. zip codes. cities. states. countries.

Charles L. at [REDACTED] Cindercone Way, Rio Verde, AZ.
Zeus V. at [REDACTED] Queens Gate, Avon, OH.

these aren't fake profiles. both addresses confirmed against public records. real people who paid Bet-David for advice and got their home addresses dumped into an unauthenticated API.

this is one GET request. no account needed. no cookies. no headers. just the URL.

i emailed Minnect on March 27 with full details. followed up with an April 4 deadline. zero response.

i went to clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.

got back 959 email addresses and 3,165 internal feature flags.

employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees.

fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in.

this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there.

clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.


the key is a Split.io SDK token. its in the production JS bundle on app-cdn.clickup.com. loads every time anyone visits the site. no account needed. no session needed at all just view source and the SDK key is yours.

one request to split.ios API returns 4.5MB of clickups internal configuration. every feature flag, every targeting rule, every email in every whitelist. billing experiments, churn prevention offers, AI pricing tiers, rate limiter IP whitelists, infrastructure routing.

the emails are inside flags like "ai-brain-as-agent" and "automation-squad-on-schedule-trigger." these are the customers clickup hand-picked for feature rollouts. enterprise accounts or beta testers. the ones they care about most.

theres a flag called "enable-missing-authz-checks." its active. the config lists 5 API endpoints that clickup themselves flagged as having no authorization. they documented their own security holes in a config anyone can read and still havent fixed them.

when i first reported this, one of the flags had a live ClickUp API token embedded in it. a service account for Fairfax County Public Schools. one of the largest school districts in the US. 180,000 students. it pulled 1,066 staff records including their Chief Financial Services data. they removed that token since my report. they never rotated the key that exposed it.

Fireflies.ai is exposing US government emails and private meeting recordings to anyone on the internet. Zero authentication. I found 44 .gov employee emails from a single city agency through one API call. No login. No token. Nothing.

Their GraphQL API returns full participant emails, meeting recordings, and AI-generated summaries to anyone who queries it. I had to censor the data myself.
This is not limited to one organization. I found over 200 meeting IDs already indexed on public threat intel platforms like AlienVault OTX and Disney. These are meetings from companies and agencies across the world, all queryable through the same zero-auth API.

Fireflies sends meeting links via email, Slack, and calendar invites. Those URLs get indexed by automated scanners and end up in public databases. The meeting ID was never the security layer. There is no security layer.

North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver.
It is sitting on MILLIONS of Windows PCs right now.
It gives any local process full control from the deepest level of Windows.

5 lines of code. Zero validation.
Your antivirus can’t stop what runs below the OS.
One driver. 47 secret commands. Zero access control on any of them.
12 for arbitrary physical memory read/write
6 for raw port I/O at any address
2 for full PCI config space read/write
Dump LSASS. Walk page tables. Patch kernel memory. Disable protected security processes. Kill your EDR. Load unsigned code.

This is what ransomware gangs pay serious money for.

Dell ships it for free. Still officially signed and trusted by Microsoft. Still pushed through Windows Update right now.

Lovable has a mass data breach affecting every project created before november 2025.

I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.

nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.

Heres how i accessed another user's profile, listed their public projects, and downloaded the source code of an admin panel for Connected Women in AI, a real danish nonprofit. the project was last edited 10 days ago. the developer has 3,703 edits this year. this is not abandoned. this is active.

i extracted the database credentials from the source code and queried it. got back real names, real companies, real linkedin profiles. speakers from Accenture Denmark and Copenhagen Business School. not test data. not "John Doe". real people at real companies who have no idea their information is exposed.

this is not hacking. this is five API calls from a free account.

AMD is shipping a vulnerable kernel driver in the Razer Blade 16 BIOS updater. its sitting in the same folder as ANOTHER vulnerable driver that's been publicly known and documented as dangerous for years

both are signed. both can be weaponized by malware to bypass your antivirus, take complete control of your computer from the inside, read anything stored in memory including passwords and crypto wallet keys, and load ransomware /Malware without your PC putting up a fight

this is exactly what ransomware / malware operators and state backed groups hunt for every single day
BiosToolCommonDriver.sys, internal name `affdriver` AMD Field Fusing / RPMC. 47KB. WHQL + AMD Sectigo dual signed, signed october 2023. AMD's cert has since expired but the timestamp keeps the sig valid, still loads on current Windows

18 IOCTLs, all ghidra confirmed, all verified with a working PoC

any admin level process opening this device can read or write any physical memory address up to 4KB per call, read or write any PCI device's config space, read or write any CPU MSR with no allowlist (one write to IA32_LSTAR redirects every syscall on the system through attacker code), do raw port I/O across the full 64K range including keystroke injection via the i8042 keyboard controller, read BIOS flash contents directly, allocate contiguous DMA buffers, and translate any virtual address to physical which breaks KASLR

admin only device ACL is meaningless in BYOVD because attackers already have admin when they load the driver. not on microsofts HVCI blocklist. no CVE. densest primitive set ive seen in a single WHQL signed driver

Windows defender has been compromised.
right now there is a public unpatched exploit that gives any app on your windows PC full system admin access. no password. no popup. nothing

your antivirus doesnt stop it. your antivirus IS the exploit. windows defender is the attack vector

ransomware gangs can use this to encrypt your entire machine and steal every saved password, browser session, and discord token you have. fully patched windows 11. real time protection on

thread
when defender finds a suspicious file with a cloud tag it tries to "fix" it by rewriting the file back to its original location

the exploit races this with an oplock and a junction. defender thinks its writing to a temp folder. its actually writing into C:\Windows\System32. defender delivers the payload for you

no admin. no UAC. your antivirus is the payload delivery mechanism