January 30, 2026

Open AI, open house?

Article URL →HN comments →

175K+ publicly-exposed Ollama AI instances discovered

AI left the door wide open — users blame copy‑paste, pros blame defaults

TLDR: Researchers found 175,000 home‑hosted Ollama AI servers left open to the internet and being hijacked to churn out spam. Commenters are split between “user error, lock it down,” “blame Docker/IPv6 quirks,” and “calm down,” but most agree the fix is simple: keep it private to your own machine.

Security sleuths say some 175,000 home‑run Ollama AIs were left sitting on the open internet, no password, just vibes — and bad actors are already freeloading on them in a grift dubbed “LLMjacking” (think: using your computer to crank out spam or worse). The fix? Keep the AI listening only to your own machine. Simple… in theory. In practice, the comments turned into a street brawl.

One camp is waving red flags at copy‑paste culture, warning that people blindly run setup commands that throw open the door — “it works!” — and forget to lock it. Another camp shrugs it off with a dry “Nothing to see here” and links to more measured takes. Meanwhile, the tech‑savvy crowd is side‑eyeing Docker (container tech) for “all-or-nothing” port rules, and IPv6 (the newer internet addressing) for exposing services people thought were hidden. A macOS quirk even got a cameo: you can bind to everything at once without admin rights — which sounds like a joke, but isn’t.

Through it all, the meme machine is humming: “0.0.0.0 is the new ‘password123’” and “LLMjacking? More like letting your AI Airbnb itself.” Drama aside, the chorus agrees on one point: lock it to localhost and move on, before your AI starts moonlighting for spammers.

Key Points

  • Around 175,000 Ollama instances are publicly exposed without authentication due to misconfiguration.
  • SentinelLABS and Censys identified the exposed systems; many run on home, VPS, or cloud environments.
  • About half of the exposed instances allow tool calling, increasing exploitation potential.
  • Pillar Security reports active abuse via “LLMjacking” to generate spam, malware, and resell access.
  • Issue is not an Ollama bug; default binds to localhost. Fix by restricting to 127.0.0.1 and properly locking down access.

Hottest takes

"copy and paste commands ... forget to put a lock on the door" — dfajgljsldkjag
"Nevermind. Nothing to see here." — rvz
"a weakness of docker, a bit" — meltyness

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.