| ▲ | MattIPv4 9 hours ago |
| Related: https://news.ycombinator.com/item?id=47824426 https://x.com/theo/status/2045862972342313374 > I have reason to believe this is credible. https://x.com/theo/status/2045870216555499636 > Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution https://x.com/theo/status/2045871215705747965 > Everything I know about this hack suggests it could happen to any host https://x.com/DiffeKey/status/2045813085408051670 > Vercel has reportedly been breached by ShinyHunters. |
|
| ▲ | tom1337 5 hours ago | parent | next [-] |
| > Ones NOT marked as sensitive should be rolled out of precaution if it's not marked as sensitive (because it is not sensitive) there is no reason to roll them. if you must roll a insensitive env var it should've been sensitive in the first place, no? |
| |
| ▲ | jackconsidine 3 hours ago | parent [-] | | There's a difference between sensitive, private and public. If public (i.e. NEXT_PUBLIC_) then yeah likely not a reason to roll. Private keys that aren't explicitly sensitive probably are still sensitive. It doesn't seem to be the default to have things "sensitive" and I can't tell if that's a new classification or has always been there. I can imagine the reason why an env variable would be sensitive, but need to be re-read at some point. But overwhelmingly it makes sense for the default to be set, and never access again (i.e. Fly env values, GCP secret manager etc) |
|
|
| ▲ | otterley 8 hours ago | parent | prev [-] |
| Who is this “theo” person and why are multiple people quoting him? He seems to have little to say that’s substantive at this point. |
| |
| ▲ | gordonhart 8 hours ago | parent | next [-] | | He’s a tech influencer, probably getting quoted here because he has the biggest reach of people covering this so far. | |
| ▲ | Aurornis 4 hours ago | parent | prev | next [-] | | He’s a streamer who talks about tech. Previously had a sponsorship relationship with Vercel so is theoretically more well connected than average on the topic. He’s also very divisive because he does a lot of ragebait, grievance reporting, and contrarian takes but famously has blind spots for a few companies and technologies that he’s favored in past videos or been sponsored by. I have friends who watch a lot of his videos but I’ve never been able to get into it. | |
| ▲ | MikeNotThePope 8 hours ago | parent | prev | next [-] | | Theo Browne is a reasonably well known YouTuber & YC founder. https://t3.gg/ | |
| ▲ | 8 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | nothinkjustai 7 hours ago | parent | prev | next [-] | | He is a paid Vercel shill (literally, he does sponsored content for them on his YouTube channel) | | | |
| ▲ | reactordev 7 hours ago | parent | prev [-] | | YT tech vlogger |
|
