Someone posted my app's data online. What do I do?

Updated
Short answer

Move fast. Preserve evidence (screenshots, URLs, timestamps), confirm it's real by sampling specific records, rotate every key + force-logout everyone, hire a privacy lawyer today, pull Supabase logs to trace where the data exited. Do NOT take down the leak post yourself — it's evidence. Your lawyer will tell you the notification timeline (often 72 hours from confirmation).

The order of operations matters more than which step you do first. Do not jump straight to notifications — you can land yourself in worse legal trouble than the breach itself if you do it wrong. Step by step:

**1. Preserve evidence, first thing.** Screenshot the leak post / paste / GitHub gist / dark-web link. Record URLs, timestamps, and the exact content. Do not try to take the post down yourself — your lawyer may want it preserved for investigation.

**2. Confirm it's real.** Sample 5-10 specific records from the leak and cross-check against your own database. Scammers sometimes post fake 'leaks' to extort founders; real leaks you can always verify by checking unique attributes (customer ID sequence, join dates, etc.).

**3. Stop the bleeding.** Rotate every key (Supabase service-role, Stripe, OpenAI, everything). Force-logout all users. If you can identify the leak vector, disable it — revoke an OAuth app, kill an API endpoint, whatever.

**4. Hire a privacy lawyer TODAY.** Not tomorrow. Today. They will tell you what your notification obligations are and by when. GDPR is 72 hours from confirmation; most US states are similar. Missing this window is a separate legal problem on top of the breach.

**5. Trace the exfiltration.** Supabase logs, Stripe logs, Vercel logs. Look for the single query or session that accessed the data that's now public. This tells you whether it's an RLS bug, a leaked key, an insider, or a compromised employee account.

**6. Notify, per your lawyer's plan.** Affected users, regulators (where required), press (if it's going to leak anyway). One honest email with specifics beats 'we take security seriously' by an order of magnitude.

**7. Post-mortem + fix.** After the immediate response, fix the underlying bug permanently. Securie's scan (launching this year) will be a good external audit to run as part of the post-mortem — it documents what you checked and fixed, which becomes evidence of due diligence in any follow-up. Join the list now to have it ready when you need it.

People also ask

What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: not
Can I get sued for a data breach?
Yes. Class actions are common in the US — especially in California (CCPA private right of action) and for healthcare (HI
A hacker emailed me demanding payment or they'll leak my data. What do I do?
Do NOT pay. Do NOT reply. Verify first — 90% of these are bluffs sent to thousands of random founders. Ask for a small,