←back to thread

Ask HN: What in the world is going on at Supabase?

57 points DANmode | 4 comments | 16 Oct 25 19:24 UTC | HN request time: 0.995s | source

Raising more money, but can't reply to vital support/security inquiries?

Like the final request of mine below, asking them to save their own resources, because someone was spinning up fake trials or something using my company's domain:

"Please cancel these signups, they're fraud." Hide quoted text

---------- Forwarded message --------- From: Supabase Auth <noreply@mail.app.supabase.io> Date: Sat, Jul 12, 2025, 5:15 PM Subject: Confirm Your Signup To: <employee@***.com>

Confirm your signup Follow this link to confirm your user:

Confirm your mail

You're receiving this email because you signed up for an application powered by Supabase Opt out of these emails Hi there,

Thanks for reaching out to us. We have received your support request and your ticket id is SU-223879

Free plan will receive no guaranteed support response - we try to respond to outage related issues asap however Pro and Enterprise tickets take priority. Upgrade here.

For non-outage related issues, Free plan users are encouraged to ask their questions inside our GitHub Discussions https://github.com/supabase/supabase/discussions.

The Supabase Team.

Me: This is a pretty bad smell for this to still be unanswered and ongoing.

Your "Opt-Out" link remains broken - how is anyone supposed to get in touch with you?!

2-3 months go by: Hey,

For security reasons, we’re not able to process requests submitted by email. Please resubmit your request through the Support Portal so we can verify project ownership.

If your request falls into one of these categories, here’s how to proceed: If your issue is related to login access and this ticket was closed in error, just reply to this email and we’ll reopen it For account deletion, you can remove your account directly in your Supabase dashboard For the latest DPA, visit the Legal Documents page To report a security issue, please submit it through our HackerOne program

Thanks for your understanding, Supabase Support Team Website • Docs • Community • Twitter • Status Sent from Front

"Wow...I'm not a customer.

Months later, this is still unresolved?"

Show context
ibejoeb ◴[17 Oct 25 16:29 UTC] No.45618638[source]
Here's how I'm interpreting this:

    1. your company owns example.com
    2. someone signs up to supabase with alice@example.com
    3. you receive the confirmation email somehow (which probably isn't important)
       a. either the email address is valid, 
       b. it is delivered some catch-all mailbox
    4. you email supabase support notifying them that someone is signing up with an address that your company controls
Is that right? If so, I don't think this is some kind of vital security event. The confirmation email won't be delivered to the purported bad actor, so the account won't verify.
replies(1): >>45620602 #
1. DANmode ◴[17 Oct 25 18:59 UTC] No.45620602[source]
It really depends what's being done with their services during the trial period by someone claiming to be example.com!

(I have no way to know what's possible, or what the spoof accounts are doing - I've never registered with them! Just trying to give a courtesy heads up so they can take a look at bad actors on their platform...)

replies(1): >>45620724 #
2. ibejoeb ◴[17 Oct 25 19:08 UTC] No.45620724[source]
You can't use the services until you confirm the account via email. When you sign up, you provide and email address, and the you're presented with this:

"You've successfully signed up. Please check your email to confirm your account before signing in to the Supabase dashboard. The confirmation link expires in 10 minutes."

If you attempt to sign in before verifying, you'll see:

"Account has not been verified, please check the link sent to your email"

So nothing is going to happen. This is probably a bot probing for accounts. The system is operating as intended. No cause for concern.

----

One more bit: when you receive the initial account email, you'll find a note at the bottom confirming the intention:

"If you didn't request for this, you can safely ignore this email."

replies(1): >>45622690 #
3. DANmode ◴[17 Oct 25 22:06 UTC] No.45622690[source]
Familiar with botting etc - no, there was NOT a message saying it was safe to ignore it if I didn’t request it.

The Opt out of these emails link was the end of their email.

Unless they’ve changed this since this ordeal began for me on July 12th, this is still a problem.

replies(1): >>45622792 #
4. ibejoeb ◴[17 Oct 25 22:17 UTC] No.45622792{3}[source]
We must be talking about different things, then.

They're active on discord, so maybe bring it up there: https://discord.com/invite/AYybku5cUz