They did not gain access to the db. They just inserted some garbage data that due to a bug in my code caused a background worker to try to insert some invalid data to the db and fail on loop, hogging network resources until eventually the main server couldn’t serve anymore.

When I say their email is confirmed, I mean the email they used to sign up is presumably one they have access to because they clicked on the confirmation link with a token sent to their email. The data they inserted is tied to that account with a foreign key.

No SQL injection or anything like that was done. It was more them triggering a bug more than anything. But it’s still clearly intentional because the data they inserted is spam about forex trading with no spaces (which is what caused the error, long story). My code is open source so presumably they knew that would happen.

What do you mean? If their email is confirmed, then I assume only they have access to it. Is there something I’m missing?

But can you prove those db entries were created by that user?

Good point. The db entries are linked to the user, but I guess one could argue that was changed after the fact. The db logs are still around but that might not be enough.

Why would it be silly?

I don’t know. I just feel like it would be an overreaction. Especially since they technically exploited a bug in my own code.

There is. The db entries are still there, linked to their username and email. I’m not gonna report it obviously. That’d be silly

It’s not a university project. I’m obviously not gonna report it to anyone.

The logs were deleted but the database entries remain, tied to their username and confirmed email.

It’s a hobby project. I’m an amateur dev I know. I’m not even mad at them, they helped me catch a bug. Cool ur tits

I do.

I don’t like bones and cartilage. Only meat I eat is ground.