[ntnn]

> An incognito session would mean he is not using his previous session to gain access. Authentication is more frequently tied to a session than an IP address - this is why you are still logged into HN if you change from your home network to a public wifi, or turn on a VPN.

Yes, that you were aiming at the authentication session hadn't come to my mind as the vulnerability was access without authorization. In the case of a private session or proxy he'd still require a spam mail, create a separate account etc.pp. to just test this explicitly.

> He previously provided a link to a telegram chat specifically with 'You can verify what I said in the chat here'. He has since edited the post and is now claiming differently.

That is indeed bad.

> He disputed both. >> Later, The CEO, Roy Lai, confirms 'only' 21 people of 'over' 1000 were affected. I tried a fileId of over 6k and it works so you do the math, there were definitely more than 2k.

Unless he edited that as well he disputed the total, not the part.

> [...]

I concur, what seems to actually have happened is quite worse than the version I read.

[cthalupa]

> Later, The CEO, Roy Lai, confirms 'only' 21 people of 'over' 1000 were affected.

6000 is over 1000. 10000 is over 1000.

If anything the CEO would want to increase the second number. 21 out of 1000 is a worse ratio than 21 out of 10000 :)