20M Rows Exposed: Security Audit of 107 YC Startups Using Supabase (opens in new tab)

(modernpentest.com)

1 pointsvictor_y1mo ago1 comments

1 comments

Author here. We built Supabomb (https://github.com/ModernPentest/supabomb) to audit Supabase security and decided to test it against YC companies.

Key findings: - 71 companies with accessible databases audited - 20.1M rows exposed to anonymous access - 28% leaking PII (emails, names, user data) - 6 companies exposing auth tokens

This was coordinated with YC and Supabase security teams.

The root cause is almost always the same: developers create new tables and forget to enable RLS. The anon key is public by design—security comes entirely from Row-Level Security policies.

Happy to answer questions about methodology or findings.

j / k navigate · click thread line to collapse

1 comments

victor_yOP1mo ago

Author here. We built Supabomb (https://github.com/ModernPentest/supabomb) to audit Supabase security and decided to test it against YC companies.

Key findings: - 71 companies with accessible databases audited - 20.1M rows exposed to anonymous access - 28% leaking PII (emails, names, user data) - 6 companies exposing auth tokens

This was coordinated with YC and Supabase security teams.

The root cause is almost always the same: developers create new tables and forget to enable RLS. The anon key is public by design—security comes entirely from Row-Level Security policies.

Happy to answer questions about methodology or findings.

j / k navigate · click thread line to collapse