[victor_y]

Author here. We built Supabomb (https://github.com/ModernPentest/supabomb) to audit Supabase security and decided to test it against YC companies.

Key findings: - 71 companies with accessible databases audited - 20.1M rows exposed to anonymous access - 28% leaking PII (emails, names, user data) - 6 companies exposing auth tokens

This was coordinated with YC and Supabase security teams.

The root cause is almost always the same: developers create new tables and forget to enable RLS. The anon key is public by design—security comes entirely from Row-Level Security policies.

Happy to answer questions about methodology or findings.