THE ENSHITTIFICATION OF HACKCLUB AND MYSELF

DATEAUG 2025 - AUG 2025TAGS:)

the enshittification of hackclub.

so. here it is, my (probably) final post/speech on hackclub.

over the past few weeks, i've watched an organisation i genuinely cared about transform from something special into just another tech company that prioritises image management over actual accountability. this isn't just about data breaches or privacy policies - it's about a fundamental shift in values that's been brewing for a while and finally exploded into public view.

the community is losing its spark

let's start with what everyone can see but fewer people want to admit: the community isn't what it used to be. we've had 15+ ysws this summer alone, many of which are low-quality add-ons to existing projects or rushed one-day events that feel pointless. the magic of building something because you love it has been replaced by churning out content for the sake of activity.

technical conversations have dried up. places like #lounge that used to buzz with interesting discussions are basically dead. instead, we get endless shitposting and people using dumpster fire reacts in #meta when someone tries to have a serious conversation about the organisation's direction.

the community feels more closed off and, frankly, more tech-bro-ish than it ever has. when people try to raise legitimate concerns, they're met with dismissiveness or told to "just make a pr" instead of having those concerns addressed by the people actually responsible.

the privacy failures and institutional response

but the real breaking point for me has been watching how hack club handles data protection and accountability. in july, i discovered that the neighbourhood platform was exposing thousands of users' full legal names through an unprotected api endpoint. anyone with a slack id could access this data - no authentication required.

i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. i got no response.

when i tried to discuss this with hq staff, the responses were genuinely shocking:

  • one intern told me gdpr doesn't apply because hack club is us-based
  • another said "nothing compels us to pay" if fined
  • they claimed eu users "void their protections" by coming to the us
  • when pressed on legal details, they admitted getting advice from chatgpt

but it gets worse. i have screenshots showing that the developer responsible for neighbourhood, thomas, intentionally left the endpoint unprotected. when asked why, he said it was "intentional. not behind auth." when warned this was a massive gdpr breach, he simply asked "why?" - showing a complete disregard for user privacy.

the payout situation

after months of pressure, hack club finally offered me a "bounty" for reporting the vulnerability that exposed thousands of minors' data. the amount? $25.

this was reduced from their "base amount" of $50 because:

  • i reported it via email instead of their preferred channels
  • i apparently "did not approach the situation with care"

rowan, the intern handling payouts, claimed they were "already working on a fix" and that he "follows up weekly" on security reports. but when i showed him his own dms with thomas - where thomas said he "never wanted to fix it" - rowan suddenly had to "go to bed" and stopped responding.

the screenshot evidence completely contradicted his claims about active fixes and weekly follow-ups. yet he still insisted on the reduced payout, essentially penalising me for not using their non-existent proper channels while they ignored the issue for months.

the semantic games and deflection

when i continued pushing for proper breach notifications (which are legally required), the responses became even more frustrating. chris walker, a full-time staff member, started playing semantic games about whether exposing personal data constitutes a "breach" or just a "vulnerability."

his argument? it's only a breach if data was "meaningfully" exploited. when i pointed out that researchers like mel had accessed the data to confirm the vulnerability (which is literally exploitation), he dismissed it as "not at a meaningful scale."

this is someone who's supposed to be a responsible adult at hq, arguing with chatgpt screenshots instead of consulting actual lawyers. the same pattern we saw with the interns - when faced with legal requirements they don't like, they simply redefine terms to avoid responsibility.

the defensive manifesto

chris eventually wrote a massive defensive post that perfectly encapsulates everything wrong with hq's current mindset. highlights include:

  • admitting hack club is "certainly" violating gdpr but claiming it's too complicated to comply
  • arguing that mistakes are inevitable when teenagers build things (ignoring that experienced adults made the key decisions)
  • claiming regulatory enforcement isn't a "significant factor" in their decisions
  • insisting no "data breaches" have occurred despite documented exposure of personal data
  • playing victim about people being "toxic and profane" when raising legitimate concerns

the post reads like a corporate pr piece designed to minimise responsibility while making hq look like the reasonable party. it's exactly the kind of response you'd expect from a company that cares more about image than accountability.

the broader pattern of deflection

throughout all of this, hq has consistently:

  • asked community members to "make prs" to fix data protection issues instead of handling them internally
  • locked meta threads when conversations get heated instead of addressing the underlying concerns
  • relied on interns with no legal training to handle serious compliance issues
  • dismissed security researchers and reduced payouts based on arbitrary criteria
  • played semantic games to avoid legal obligations
  • removed official gdpr contact channels after being called out publicly

this isn't about being mean or dramatic. these are systematic failures that put user data at risk while protecting hq from accountability.

the toll it took on me

i need to be honest about something: this situation has absolutely destroyed my mental health over the past few weeks. what started as trying to report a security issue properly has turned into weeks of gaslighting, dismissiveness, and watching an organisation i cared about prioritise damage control over doing the right thing.

i used to genuinely want to work for hack club. i believed in the mission and thought hq was different from other tech companies. but after being treated like an annoyance for reporting serious privacy violations, after watching teenagers handle legal compliance issues while actual adults hide behind semantics, after seeing my legitimate concerns dismissed as "toxic discourse" - that interest is completely gone.

the stress of dealing with this while also trying to protect the community's data has led to erratic behavior, sleepless nights, and a level of frustration i didn't know i was capable of. i'm not saying this to excuse anything i've said or done, but to make clear that this isn't some abstract debate - it's about real people being affected by institutional failures.

and let me be completely honest here: yes, i have been acting frankly like a fucking horrible piece of shit, and that's wrong. i shouldn't have done it. i've been rude, aggressive, and probably made this whole situation worse than it needed to be. the past is the past - you can't change it now. but that doesn't mean the underlying issues aren't real or important.

personal apologies

rowan, i'm sorry for treating you like a piece of shit. you didn't deserve the level of aggression and personal attacks i directed at you, regardless of how frustrated i was with the situation. however, that doesn't give you the right to lie about security processes or reduce payouts based on arbitrary criteria. we both fucked up here, and i should have approached this more professionally from the start.

to chris, max, and anyone else at hq who felt personally attacked - i'm genuinely sorry. my frustration with institutional failures doesn't justify making this personal or being unnecessarily hostile toward individuals. you're all trying to do difficult work, and i should have found better ways to express my concerns.

to the broader community members who got caught in the crossfire or felt uncomfortable with how heated things got - that's on me. i let my anger about these issues spill over into being generally unpleasant, and that's not fair to people who just want to be part of a positive community.

being right about the underlying issues doesn't make being an arsehole okay. i should have done better.

the code of conduct hypocrisy

speaking of institutional failures, let's talk about the recent "code of conduct" conversation i had with hq. after weeks of dealing with their dismissiveness and legal ignorance, i was told my tone was "inappropriate" and that i couldn't call specific people out for their actions.

this feedback came while chris walker was posting pictures of his toes in a thread full of teenagers - behavior that somehow didn't warrant any response from the code of conduct team. apparently, my tone about data protection violations makes slack "a place where teenagers don't want to be," but actual inappropriate behavior from staff gets a pass.

the double standard is clear: there's one set of rules for community members raising legitimate concerns, and another set for staff who want to avoid accountability.

the enshittification process

this is textbook enshittification. hack club has grown large enough that it can afford to ignore individual community members while prioritising institutional protection over user rights. the same pattern we've seen from every other platform:

  1. build community goodwill with genuine mission and values
  2. grow large enough that individual users become expendable
  3. prioritise institutional interests over user protection
  4. dismiss criticism as "toxic" or "unconstructive"
  5. rely on defensive pr instead of actual accountability

hack club isn't the scrappy nonprofit empowering teenagers anymore. it's become another tech company that talks about privacy and security while systematically failing to implement either.

what needs to change (but probably won't)

for hack club to actually live up to its stated values, they would need to:

  • remove minors from roles involving legal compliance and data protection
  • implement actual data protection processes instead of relying on informal chat discussions
  • stop playing semantic games to avoid legal obligations
  • provide proper training for staff handling user data
  • establish clear escalation paths for security issues
  • publish and follow through on actual privacy policies
  • treat security researchers as partners, not annoyances
  • acknowledge institutional failures instead of playing victim

but based on everything i've seen, this won't happen. it's easier to dismiss critics as "toxic" than to implement actual accountability measures. it's easier to reduce bounty payouts than to acknowledge systematic failures. it's easier to lock meta threads than to address the underlying concerns.

conclusion

i still believe in hack club's mission. empowering teenagers to build amazing things is genuinely important work. but the organisation has lost its way, prioritising growth and image management over the values that made it special in the first place.

i've spent weeks trying to work within the system, sending formal emails, following proper channels, offering to help improve processes. the response has been dismissiveness, gaslighting, and semantic games designed to avoid responsibility.

so this is probably my last major contribution to hack club. i've reported the relevant issues to appropriate authorities. i've documented the institutional failures for anyone who wants to learn from them. i've tried to protect the community's data when the organisation wouldn't.

the rest is up to hack club. they can continue down this path of defensive posturing and accountability avoidance, or they can remember what they're supposed to stand for.

but i won't be around to see which path they choose.

this post documents my experience reporting data protection issues at hack club from july 2025. all claims are based on documented communications and publicly available information. screenshots and evidence are available upon request.

if you're dealing with similar issues at any organisation, remember: your concerns are valid, accountability matters, and institutional defensiveness is not the same as institutional responsibility.

so. thats it. my final post about hackclub and in general. i'll probably disappear, however my services will keep running (if i check my emails and pay the bills (probably not happening)) however there is a very probable chance that i will not come back (for those who know :> ), so if that does happen, i'll leave you with my final goodbye.

cya!!!!