Ask HN: What in the world is going on at Supabase? | Not Hacker News!

Q&A highlight

57 points

20 comments

Posted3 months agoActive2 months ago

Ask HN: What in the world is going on at Supabase?

Supabasecustomer supportsecurity

Ask HN: What in the world is going on at Supabase?

No synthesized answer yet. Check the discussion below.

Discussion (20 comments)

Showing 20 comments

3 months ago

1 reply

I want to underline the fact that I am not a client, nor has my firm ever registered with them, so this is a security/fraud correspondence...not customer service.

Emails to support@, info@ etc multiple TLDs, all ignored for months...

2 months ago

1 reply

hey DANmode - supabase ceo here. similar to the sibling thread I want to make sure I know what happened here:

  1. someone created an website using supabase with email logins (and possibly edited the template / opt-out link)
  2. someone signed you up to that service - you received an email from that app 
  3. you sent us an email (to support@supabase.io or similar) to report abuse
  4. we emailed a few months later with the generic email you posted

First, I'm sorry you had a bad experience. we have been historically very on-top of our support emails, but this year the tickets have grown ~10x while our team can only grow ~2x. We have had to make short-term trade-offs (automations) which are sub-par so that we can catch up with the growth and primarily focus on the paying customers

I'm be the first to acknowledge that this is something we want to improve. Unfortunately that will take time and iterations - you are experiencing our support (i hope) at it's worst. We sent an email to the backlog of unanswered free-plan emails just to acknowledge and redirect them somewhere we can offer more support

For security/fraud, we have a slightly different process: https://supabase.com/.well-known/security.txt

This process is to ensure that we _don't_ miss emails, like we did with yours.

You post here is helpful for us to figure out the areas that we need to improve. Again, I'm sorry that we didn't give you a good impression the first time - all we can do is iterate based on feedback like yours. If you want to share more my email is in my profile

2 months ago

I believe the biggest issue is that the ONLY lever the email gave the user to pull (the Opt-Out of these emails link) was broken. (FYI: It's working now.)

I still don't even know if that does what I think it does (it sounds like marketing list opt-out).

/ /

How is a user, who has been signed up for your services without their knowledge, meant to "opt out" of the trial, or account, after the point of receiving the email,

if they never even initiated the account on your end?

3 months ago

1 reply

Sympathy to you for these woes.

While this sucks, your best bet is to vote with your wallet, find a way to act as though they don't exist, and leave them to their own devices.

3 months ago

I mean, I was already doing that!

I'm not a client, no relationship with them.

3 months ago

1 reply

They also never mailed me free t-shirt for completing their State of Startups survey a few months back

2 months ago

let me follow up with the team to find out what happened here

3 months ago

2 replies

supabase supabase supabase

@kiwicopple - given you have keyword notifications set up on here [0], between this and your current AWS situation, this is not a good look

[0] https://news.ycombinator.com/item?id=42223240

3 months ago

...what's the AWS situation?

2 months ago

thanks for the tag lucasknight - i'll respond inline to OP about their email situation

> your current AWS situation

I think the assessment here is accurate:

https://x.com/theo/status/1979271205279666586

> Looked into this a bit. I don’t think “downtime” is a fair way to report on this. No existing databases are affected. Amazon is literally out of boxes in eu-west-2, so Supabase can’t provision NEW DBs in that one specific region

I want to own the fact that we can be multi-cloud, and that we can work with AWS on their capacity planning (note: this is not a typical request for an increase on a soft limit). We are working through both of these options. That said, the Reddit poster classifying this as days of downtime is not entirely fair, and it makes it harder to for us to over communicate with our community. Throughout this period we had days where there was free of capacity on AWS and we chose to leave the status up until we have finalized our conversations with AWS.

I also want to acknowledge that there is a broader AWS issue today in us-east-1 which affects us (and most other companies today) that is unrelated

https://news.ycombinator.com/item?id=45640838

3 months ago

1 reply

Nobody is going to see this. They are a Y Combinator and claim to have Hacker News locked down.

3 months ago

Plenty "saw it". Really only needed one person to see it...

They claim that? Where?

3 months ago

1 reply

Here's how I'm interpreting this:

    1. your company owns example.com
    2. someone signs up to supabase with alice@example.com
    3. you receive the confirmation email somehow (which probably isn't important)
       a. either the email address is valid, 
       b. it is delivered some catch-all mailbox
    4. you email supabase support notifying them that someone is signing up with an address that your company controls

Is that right? If so, I don't think this is some kind of vital security event. The confirmation email won't be delivered to the purported bad actor, so the account won't verify.

3 months ago

1 reply

It really depends what's being done with their services during the trial period by someone claiming to be example.com!

(I have no way to know what's possible, or what the spoof accounts are doing - I've never registered with them! Just trying to give a courtesy heads up so they can take a look at bad actors on their platform...)

3 months ago

1 reply

You can't use the services until you confirm the account via email. When you sign up, you provide and email address, and the you're presented with this:

"You've successfully signed up. Please check your email to confirm your account before signing in to the Supabase dashboard. The confirmation link expires in 10 minutes."

If you attempt to sign in before verifying, you'll see:

"Account has not been verified, please check the link sent to your email"

So nothing is going to happen. This is probably a bot probing for accounts. The system is operating as intended. No cause for concern.

----

One more bit: when you receive the initial account email, you'll find a note at the bottom confirming the intention:

"If you didn't request for this, you can safely ignore this email."

3 months ago

1 reply

Familiar with botting etc - no, there was NOT a message saying it was safe to ignore it if I didn’t request it.

The Opt out of these emails link was the end of their email.

Unless they’ve changed this since this ordeal began for me on July 12th, this is still a problem.

3 months ago

We must be talking about different things, then.

They're active on discord, so maybe bring it up there: https://discord.com/invite/AYybku5cUz

3 months ago

I would differentiate between a bad customer service, that answers too late and doesn’t think outside the box versus their product. As a customer I am actually pretty happy with what I’m getting, but apparently this will only remain true as long as I don’t need to contact anyone. I guess they think they don’t need good customer support if the product is good enough for no one to complain.

3 months ago

The sad fact is investors don’t care about abuse. Provided the company aren’t deliberately faking customers there is no incentive to spend any resources on a free trial other than looking for customers to convert.

3 months ago

They are squeezing the free tier hard to monetize. It never made sense in the first place (they don't have their own servers, they host on AWS). It probably cost them something like $10-15/free customer. That's as bad or worst than many of the AI startup burning money to acquire customers. Also the free tier is good for most people, so why pay up?

I got my DB paused a few times despite it being active (the irony is that I have an inactive DB that was not affected).