I Hacked Monster Energy
Posted5 months agoActive4 months ago
bobdahacker.comTechstoryHigh profile
heatednegative
Debate
85/100
SecurityHackingCorporate Culture
Key topics
Security
Hacking
Corporate Culture
A self-proclaimed hacker gained unauthorized access to Monster Energy's internal systems and disclosed sensitive information, sparking debate about responsible disclosure and the ethics of hacking.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
7m
Peak period
143
0-12h
Avg / period
25.8
Comment distribution155 data points
Loading chart...
Based on 155 loaded comments
Key moments
- 01Story posted
Aug 23, 2025 at 12:42 PM EDT
5 months ago
Step 01 - 02First comment
Aug 23, 2025 at 12:49 PM EDT
7m after posting
Step 02 - 03Peak activity
143 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 31, 2025 at 4:43 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 44997145Type: storyLast synced: 11/20/2025, 9:01:20 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).
Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.
Just want to add that all Monster (AFAIK) contains sucralose even if it also has HFCS or other sugar. It's a small amount because it's so potent, so I usually start at the end of the ingredients label when checking if drinks have it. NOS also puts it in their regular drinks. I don't know when they made this change, but I stopped drinking Monster because of it. I used to like the Mean Bean Java Monster quite a bit.
My energy drink of choice these days is Blueberry Red Bull, in case anyone else is looking for an option that tastes better.
Also some brands like Rockstar put it in half their flavors, so you gotta check every can. Even though Killer Citrus is safe (as of 5+ years ago when I last looked anyway), Killer Grape isn't, despite both being of a similar subtype.
From another angle, I think it's quite shady and dishonest of them to mix artificial sweeteners into non-diet drinks and not make it clear. If someone sells sugar free drinks and not-sugar-free drinks, they shouldn't both have sucralose.
I have heard certain artificial sweeteners kill your gut bacteria, but honestly I don't care much about that. If I heard that about sugar, I wouldn't start avoiding sugar.
The green monsters are definitely more male gamer oriented, but the white, green, pink, rose monsters etc seem pretty popular with people in my generation who fall outside that male gamer demographic.
Personally I prefer red bull now but as I get older I mostly drink coffee.
What does this sentence even mean?
With a span across 50 years, that range from Gen X to Gen Z is just awkward to place as "young buyers of Monster" at any point in time.
This covers like sixty years?
That is almost certainly not a meaningless demographic they pulled out of thin air. It might not be meaningful to you as a demographic. It might even be offensive to you as a demographic.
But, to the marketing company, that is a concrete “group of humans” that respond well to their product and advertising. It informs how they develop their ads, how they target them, which geographic markets they push hard in, what events they sponsor, etc.
When they define that demographic as the people they’re targeting, and allocate their capital towards targeting them, they see the highest returns they’ve been able to find so far.
Also Gen X (aged between 44 and 60 at time of writing) are "young".
The article even states this. "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
When you've moved from that generational age, your no longer their audience and they don't care if you buy or not; but it's not like they cared in the first place.
Although it would be a funny bit to run a monster commercial in the style of something like L'Oreal.
I was half-surprised one of the pictured people wasn't wearing pink headphones with attached cat ears.
> "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
Later in the post:
> The scariest part wasn't the training portal or the questionable customer profiling.
Questionable customer profiling is just basic research about their customers.
Seriously, I wish more companies were honest at least internally who their customers are. A lot of problems could be solved if places like Marvel realized who their core base is, accepted it, and made products for their audience.
It's not just female super heroes, which always existed and were popular to some degree (Buffy, Lara Croft, Zena, etc). It was a particular form of shallow female empowerment where the female characters were perfect, or if there was any growth to be had, it was realizing that they were perfect all along and the world just needed to change.
Take for instance She Hulk series, within minutes of gaining her powers, she was able to outperform Hulk. There was no personal growth. Whereas male superheroes typically had to overcome obstacles. Spiderman had to learn with great power comes great responsibility. Batman has to constantly battle with his grief and moral code. Ironman fought substance abuse and his philandering selfish nature. What was the story arch of Captain Marvel? It's just not good story telling
[1] https://www.goodreads.com/book/show/77264987-mcu
I could imagine similar subcurrents for Marvel executives wanting to appear sophisticated or avant garde but instead having to cater to "comic book nerds" must be challenging.
The post has similar undertones of elitism as well. After all most of us tech people skew towards similar habits as does probably most well paid white collar professions.
https://recruiting2.ultipro.com/MON1009MECY/JobBoard/682eaab...
This is not a mom and pop shop struggling to keep the lights on. This is a huge corporation whose CEO has a net worth 4 orders of magnitude greater than the median American of his age. He could pay the whole IT department out of his pocket and barely notice.
I don't feel bad for them.
That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.
IMO what op posted is hilarious but really nothing burger. Access to some analytics, some training material and list of filenames is worthless. Yes pretty amateur mistakes but ultimately has 0 impact.
Definitely not a nothing burger.
_Everyone_ organisation is a tech organisation.
Focus on the security issues sure, but maybe think a bit more critically about how businesses function.
Go look around at who you see drinking monster and you're probably going to see they're not at all wrong.
The example in the post is a super generic target market.”gen z, lower income”
Also should probably be a little more careful with risking the CFAA, but they seem really young so I'm guessing that's the main explanation.
Generalizing. It's would be the same as me calling you out as being an 34 male Texas Neckbeard MAGA supporter for having the user name "pessimizer".
As an actual insult, assuming and throwing it at someone is an attack. It could be derogatory if what said harshly generalizes a majority or group.
I prefer honest truth to polite fiction.
It’s better to attempt to see the world as it is than delude yourself with bullshit.
If GP had said the author was probably retarded, would you be so confused then?
Also would explain their unfamiliarity with what looks to me like totally normal branded corporate training.
They may not have had a security email but I’m sure there was some contact this could have been sent to before posting something like this.
Part of me wonders if OP even tried or was mostly just looking to dunk on a company.
While I understand that the author attempted to contact Monster without receiving a response, publishing details of the vulnerabilities and how to exploit them only puts users at greater risk. This approach is reckless and harmful.
Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.
Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
the american system clearly agrees with this, too. you see it insider trading laws. you're allow to trade on insider information as long as it was, for example, overheard at a cafe when some careless blabbermouth was talking about the wrongs things in public.
Correct. And I have good reasons for that. Activism has failed, consequences are required. The inevitable march towards the end of privacy due to the apathy of the unthinking majority of careless idiots will only be stopped when everyone feels deeply troubled by entering even the slightest bit of personal information anywhere because they've felt the consequences themselves.
> If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
I could point to probably thousands of cases where there wasn't any accountability or it was trivial to the company compared to the damage to customers. There's no accountability for large corporations, the only solution is making people care.
No one will buy some shitty XSS on a public website.
On other side, if it is some piece of software immediate disclosure in public is only reasonable and prudent action. It allows every user to take necessary mitigation actions like taking their services and servers offline.
If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.
If the hacker has the emails sent at step 1 he will be fine.
I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.
Don't know about GenX though. A common definition of GenX is born between 1965 and 1980. Speaking for all GenX males of the world, the stuff tastes overly sweet to me and don't want to risk a higher A1C on carbonated sugar water. Bleh!
So, back then, most consumers would have been GenX. Millennials would have been between 6yo and 21yo with only the very oldest likely to be buying such things. GenZ wasn't part of any market segment, and Alpha didn't even exist yet. Some of us GenXers stuck with it; at 60yo I still drink a can instead of coffee every day and none of my labs show any ill effects. Maybe we're not the primary demographic any more, but we're certainly still in there.
So ... which of us speaks for all GenX males in the world? ;)
For the author's sake, I really hope they don't live in the USA.
FYI, if you are a hacker:
1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.
2. Document, don’t exploit
3. Report responsibly
4. Do not publish until fixed. Do not publish documents/images without permission.
5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).
This isn't just a reactive profile of who they think is buying the product, it's the blueprint for the product.
Not that HN would know anything about that.
These writeups are Jr. level hacks (I looked through them all). Aside from making the company look bad, you don't really learn much from it because they are so easy.
I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.
Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.
Yeah, there was some serious, "you'll never work in this town again," energy. Glad I wasn't the only one who picked up on it.
I'd hire this security professional at my company.
the security guard of the local mall left the door unlocked when the mall was actually closed, and i saw the mall hours that it was closed, but i went in anyway out of curiosity since i was already there
They should not have done any of this in the first place, let alone disclose it publicly in this manner.
I too did similar things when I was younger, riding high on that feeling of power, and learned the hard way that even attempting to hack something can be considered computer fraud in EU.
I was lucky to not suffer any consequences in the long run.
You can brag all you want about being an "ethical hacker", the law is probablycnot on your side - especially if you publish incriminating evidence in the form of an immature post like this.
Disclosing security vulnerabilities if they don't respond is fine. Sharing internal training material and photos for the lols and internet points is just being a dick.
Good job, bodahacker. We look forward to your next installment.
it's just an energy drink, bro. It's not that deep.
...yeah... I don't think those words mean what you think they mean...
https://web.archive.org/web/20250823172249/https://bobdahack...
This person needs to understand that Monster is in the business of selling energy drinks, not storing secret information or managing critical infrastructure. The fact that they have their own branded cyber security training is actually better than most. I'm not saying their infrastructure couldn't be improved, but chill out. They likely operate with a higher risk tolerance compared to other organizations so yes they're probably more exposed.
I can see faulting them for these lapses in security, but on the other hand I also don't have a guide in mind to point them to that they should make use of instead (obviously the guide they had was insufficient)
e.g. https://archive.today/2uqo2
12 more comments available on Hacker News