55,000 Fake Signups in One Night: A Bot-Detection Post-Mortem
These articles are AI-generated summaries. Please check the original sources for full details.
55,000 fake signups in one night: a bot-detection post-mortem
Jaime Trejo discovered 55,388 fake casino-spam signups flooding their bot-detection product’s database. Only 12 real accounts were registered that night.
Why This Matters
This incident reveals the gap between building a security product and using it correctly. The company’s own API was called without behavioral signals—no mouse movement, keystroke cadence, or scroll rhythm—so every bot passed with a neutral score. The failure cost them over 113K junk records and risked email domain blacklisting from bounce storms.
Key Insights
- “No rate limiting on signup” — The marketing site lacked IP-rate limits that the public API had from day one; bots directly POSTed the endpoint thousands of times per minute (2026).
- “Dogfooded wrong” — The signup called the company’s own bot-detection API with only a userId; without behavioral signals like mouse movement or scroll rhythm, the engine returned neutral scores that cleared all bots (2026).
- “Every fake signup sent a real email” — Each registration fired a verification email to fake addresses; the free-tier daily cap from their email provider acted as an accidental circuit breaker preventing domain blacklisting (2026).
- “Per-IP rate limit on signup (5/min)” — The fix reused an existing atomic counter from their API (~12 lines of code) and was shipped same night alongside filtering lifecycle emails by email_verified = true (2026).
Practical Applications
- (useHUMA + fraud detection) Collect full behavioral signals client-side (mouse movement, keystroke cadence) before scoring registrations; submissions with zero signals should be rejected outright.
- (Email providers + free-tier caps) Treat soft constraints on sending volume as deliberate circuit breakers against spam floods that could damage domain reputation.
- (Monitoring + alerting) Schedule regular SQL count queries to detect anomalous growth spikes; monitoring you don’t look at is monitoring you don’t have.
References:
Continue reading
Next article
AgentJobs Launches Non-Custodial Agent-to-Agent Escrow on Monad
Related Content
Solving Silent Work Loss in AI Agent Architectures
OpenClaw developers identify three critical failure modes causing silent message loss due to race conditions and API rate limits.
Mitigating Secret Leaks: Why .gitignore is Not a Security Strategy
Stephen Infanto details how misconfigured .gitignore files led to exposed .env secrets and the critical steps for repository remediation.
Identifying Supply Chain Risks in the Anthropic SDK Dependency Tree
An audit of the Anthropic SDK reveals transitive dependencies with single maintainers and 15 million weekly downloads, exposing critical supply chain risks.