Drawafish.com Postmortem: Whoops

Summary

DrawAFish.com TL;DR: Incident Duration: ~6 hours (2AM–8AM EST) Impact: Username vandalism (slurs) Offensive fish approved / safe fish removed Root Causes: Legacy 6-digit admin password exposed in past data breach Username update API lacked authentication JWT not tied to specific user Mitigation: Manual reversal of mod actions, fixed authorization logic, backups reviewed Takeaway: hwoopsy daisy 🙂 Did you see? Did you see it? What it says? What it says on top of the website? If you were on HackerNews on Aug 1 2025, you may have seen DrawAFish.com. Because it was in the number 1 spot. You also may have seen it if you follow me on instagram. You also probably saw that I was in the #1 spot on Hackernews there too. Because I posted about it a lot. And also if you talked to me in person you probably heard about it. And then you probably heard a lot of quotes from The Social Network (2010) where I replaced various words with "Fish." "A million fish isn't cool. You know what's cool? A billion fish." If you read the post on Hackernews, you saw that the website was an exercise in vibe-coding. I used Copilot to implement features, and I used it to implement features fast. In my career,[0] I have learned the art of "Blameless Postmortems." The problem with a Blameless Postmortem is that it doesn't really work when you're the sole contributor. So this is a blameful postmortem. And I blame me. (Not the LLM, sorry). If you saw the website only on August 1, you probably do not understand why I need to write a postmortem at all. Everything went swimmingly (ha, ha). But if you had the displeasure of viewing my website between the hours of 2AM (20 minutes after I went to sleep) and 8AM (when I woke up)[1] EST on Aug 3, then you would have seen chaos. Every single username was transformed to a heinous slur, many unsavory fish had made it into the fishtank, and many beautiful fish were gone. How did this happen? The Vulnerabilities This is not what they changed my username to. I'll let y...