@rish

1/ Schedly knew about the incident but didn't rotate their API key. Cast where they knew linked https://farcaster.xyz/schedly/0x78cf7c79 Developer manually copied over all signer uuids for their users and stored them in their own Supabase account in the last 24 hours. The external Supabase account, alongside API key, was then either hacked or leaked or the developer maliciously used it themselves to post on behalf of others. No Neynar or Farcaster products were breached as part of this. Neynar doesn't give out access to Farcaster signer private keys (they're encrypted at rest in an isolated database). We give out Signer UUIDs that developers can use with their API keys. Our API keys can be rotated at any time, need both API key and signer_uuid to post. Both are meant to be secrets and are noted as such in our docs. 2/ Re: my account - I try miniapps built on Farcaster which is how they got my signer. It's since been revoked.

25 replies

34 recasts

138 reactions