[MattIPv4]

Related: https://news.ycombinator.com/item?id=47824426

https://x.com/theo/status/2045862972342313374

> I have reason to believe this is credible.

https://x.com/theo/status/2045870216555499636

> Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution

https://x.com/theo/status/2045871215705747965

> Everything I know about this hack suggests it could happen to any host

https://x.com/DiffeKey/status/2045813085408051670

> Vercel has reportedly been breached by ShinyHunters.

[otterley]

Who is this “theo” person and why are multiple people quoting him? He seems to have little to say that’s substantive at this point.

[gordonhart]

He’s a tech influencer, probably getting quoted here because he has the biggest reach of people covering this so far.

[Aurornis]

He’s a streamer who talks about tech. Previously had a sponsorship relationship with Vercel so is theoretically more well connected than average on the topic. He’s also very divisive because he does a lot of ragebait, grievance reporting, and contrarian takes but famously has blind spots for a few companies and technologies that he’s favored in past videos or been sponsored by. I have friends who watch a lot of his videos but I’ve never been able to get into it.

[MikeNotThePope]

Theo Browne is a reasonably well known YouTuber & YC founder.

https://t3.gg/

[nothinkjustai]

He is a paid Vercel shill (literally, he does sponsored content for them on his YouTube channel)

[TiredOfLife]

He literally doesn't. https://x.com/theo/status/1832228209573949947

[djeastm]

Not in a few years.

[reactordev]

YT tech vlogger

[tom1337]

> Ones NOT marked as sensitive should be rolled out of precaution

if it's not marked as sensitive (because it is not sensitive) there is no reason to roll them. if you must roll a insensitive env var it should've been sensitive in the first place, no?

[jackconsidine]

There's a difference between sensitive, private and public. If public (i.e. NEXT_PUBLIC_) then yeah likely not a reason to roll. Private keys that aren't explicitly sensitive probably are still sensitive. It doesn't seem to be the default to have things "sensitive" and I can't tell if that's a new classification or has always been there.

I can imagine the reason why an env variable would be sensitive, but need to be re-read at some point. But overwhelmingly it makes sense for the default to be set, and never access again (i.e. Fly env values, GCP secret manager etc)