How do I know if someone is actively hacking my app right now?

Active intrusion leaves fingerprints. Here's where to look in 5 minutes:

**Vercel Analytics / Logs:** - Open the Logs tab, filter by 'error' status codes - Look for 403/401 clusters — attackers probing auth - Look for 404 bursts on paths like `/wp-admin`, `/phpmyadmin`, `/.env`, `/config.json` — scanning tools checking if you're a common-stack app - Filter by IP. One IP making 100+ requests in a minute is a bot; a human is 10-20

**Supabase Logs:** - Auth → sign-in attempts. Spike in failures = credential stuffing - Database → query log. Look for SELECT queries returning thousands of rows when your app normally returns 1-10 - Sudden activity from unexpected countries (if your users are US, traffic from elsewhere is suspicious)

**Stripe Logs:** - Unusually small test charges (0.01 - 1.00). Attackers probing stolen cards before using them properly. - Bursts of failed payments from many different cards. Card-testing attack. - Refunds you didn't initiate (rare, requires API key compromise)

**Cloudflare / Vercel Firewall (if you have one):** - Shows blocked attacks by type. A spike in 'SQL injection attempt' or 'XSS attempt' blocks means scanners found you.

**If you're actively being attacked:** 1. Turn on Vercel Firewall / Cloudflare rules (block the attacking IP or country if obvious) 2. Rotate any keys that might be compromised 3. Add rate limits to login + reset + any expensive endpoints 4. Force-logout all users if you suspect credential stuffing got through 5. Call for help: if this is beyond your depth, hire an incident-response firm for the first 24 hours. It's expensive but compresses the damage

Securie's scan (launching this year) will test the same attack paths attackers use — sign-up abuse, credential stuffing, endpoint probing, ID-swapping. Join the list for a week-1 run and see the report in plain English without waiting for a real attack.

People also ask