May 29, 2026
You’ve got scam mail
Someone used my open source project to phish 14,000 people
Open-source dream turns into a scam cannon as commenters roast, shrug, and spiral
TLDR: A scammer used an open sign-up feature in a small open-source app to send 14,000+ phishing emails from the developer’s real domain. Commenters were torn between sympathy and tough love, arguing this is inevitable online while fighting over whether anti-spam fixes also hurt normal users.
An indie developer woke up to a nightmare: his free online demo for Kaneo, a project management app, had been turned into a phishing machine that blasted more than 14,000 scam invites while he slept. The wild part, and the part commenters couldn’t stop obsessing over, is that nothing was hacked. The scammer just signed up over and over, used throwaway email addresses, made nearly a thousand fake workspaces, and let the app’s own invitation system do the dirty work. In other words: the burglar didn’t break a window, he just walked through the front door because it was open.
The comment section immediately split into factions. One camp was basically, “Welcome to the internet, pal” — saying every service eventually gets abused by people trying to squeeze value out of anything that isn’t nailed down. Another group zeroed in on the fixes, with debate over blocking disposable email services: smart defense or annoying punishment for privacy-minded users? And then, because this is the internet, someone swerved straight into existential dark comedy, noting that if your code is popular enough, it’s probably already been used for something horrifying somewhere.
There was even side-drama about the writing itself, with one commenter bluntly complaining that the post read like LLM output. So yes: in one thread, readers managed to turn a scam incident into a debate about startup naïveté, internet survival, privacy, and robot writing. Classic.
Key Points
- •The author discovered that attackers used Kaneo’s cloud signup and invitation features to send 14,520 phishing invitations from a verified Resend domain.
- •The abuse involved 949 newly created workspaces generated within a three-hour window on May 28, using throwaway email providers and templated phishing subject lines.
- •The phishing emails appeared legitimate because the links pointed to the author’s real site, while the scam content was embedded in workspace names and included a craftum.io link.
- •The article states there was no exploit or CVE; the attacker used the product exactly as designed, exposing weaknesses in the signup and invite flow.
- •The author responded by revoking Resend keys, deleting abusive accounts and invitations via a PostgreSQL transaction, and adding CAPTCHA, rate limits, disposable-email blocking, workspace-name filtering, and invite restrictions.