A hacker emailed me demanding payment or they'll leak my data. What do I do?

The bluff playbook: scammers mass-email founders claiming to have their data, hoping one in a hundred pays. Your first job is to determine which you're dealing with.

**Step 1: ask for specific proof.** Reply once asking for a specific, small sample: three customer email addresses + the date their account was created, or a screenshot of your admin panel showing something only you would see. Don't ask for 'proof' vaguely; ask for something a bluff scammer couldn't fake.

**Step 2: if it's a bluff**, block the email, preserve the message, and move on. Never pay — paying marks you as a target and doesn't stop anything.

**Step 3: if it's real**, stop. Do not reply further. Take these steps in order: 1. Call a privacy lawyer today. Seriously — before anything else. They'll tell you what notifications are legally required and when. 2. Screenshot and preserve everything from the attacker. 3. Rotate all keys, force-logout all users, pull Supabase logs to confirm what was accessed. 4. Follow your lawyer's notification plan. In most US states + EU you have 30-72 hours from confirmation. 5. Contact the FBI's IC3 (ic3.gov) and your country's equivalent. Never pay — it funds the next attack.

**Why paying backfires:** ransomware-and-extortion groups talk to each other. A founder who paid once is added to 'will pay' lists and gets extorted again by different groups. Also the data is already out — paying buys a promise that the criminals will delete it, which they usually don't.

Securie's scan (launching this year) will tell you where the leak happened so your lawyer can tell you exactly what notifications are required. Join the early-access list for a week-1 run on your app.

People also ask