How bots used our sign-up and forgot password pages to bomb real people's inboxes, and what we did to stop it. A practical guide to subscription bombing for founders and developers who think CAPTCHA is an "I'll do it later" task.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A SaaS founder describes discovering their sign-up and forgot-password forms were being exploited in a subscription bombing attack — where bots register real victims' emails across many sites to flood their inboxes and bury important security alerts. The attack was low-volume (1-2 sign-ups/hour) and designed to evade rate limiting. The fix involved tightening firewall bot detection, adding Cloudflare Turnstile (integrated via Better Auth's built-in CAPTCHA plugin), and restricting all emails except the verification email until the address is confirmed. The post argues that any sign-up form that emails unverified addresses is complicit in this attack, and urges developers to treat CAPTCHA and email gating as baseline requirements, not optional tasks.

Your sign-up form is a weapon