I found a Vulnerability. They found a Lawyer.
Hacker News
February 20, 2026
AI-Generated Deep Dive Summary
A diving instructor and platform engineer discovered a critical security flaw in the member portal of a major diving insurer during a trip to Cocos Island. The vulnerability exposed personal data, including that of minors, through sequential user IDs and default passwords that could be easily guessed. Despite responsibly disclosing the issue on April 28, 2025, with a 30-day embargo, the organization responded not with gratitude but with legal threats. This incident highlights the ethical dilemmas faced by security researchers when organizations prioritize legal action over transparency and remediation.
The vulnerability stemmed from a flawed registration process where users received accounts with incrementing numeric IDs and static default passwords that rarely changed. For example, registering three students in succession resulted in sequential IDs and shared credentials, making it easy for unauthorized individuals to access sensitive information like full names, addresses, phone numbers, and dates of birth. The lack of security measures such as rate limiting, account lockout, or multi-factor authentication (MFA) exacerbated the risk.
To confirm the scope, the researcher wrote a script using Selenium browser automation tools to simulate brute-forcing IDs and default passwords. This proof-of-concept revealed that a significant portion of accounts remained exposed due to the unchanged default credentials. The researcher emphasized that they limited their testing to avoid exploitation but expressed concerns about potential misuse by malicious actors.
The researcher disclosed the issue responsibly, giving the organization over eight months to address it before deciding to go public. Despite the vulnerability being resolved, there was no confirmation of whether affected users were notified or if internal security practices were
Verticals
techstartups
Originally published on Hacker News on 2/20/2026