Bubble app got shut down by a hacker

Hey guys! We got an email from “Hacker” saying that we either pay $500 or he breaks our website.

As we are on Bubble, we though we are protected and just ignored him.

So currently our website is down for 24 hours and Bubble support says: “We are investigating”

Just keep in mind that this might happen to you.

The funny thing is that Cloudflare is managed by Bubble and we can’t do anything as bubble doesn’t react.

@Bubble @eve How much time can it take? Weeks?
This is the link

1 Like

If you can access your app_name.bubbleapp.io, then the issue is on your domain provider side.

No I can’t, Just tried

At first blush, it appears to be a CloudFlare firewall issue…

So cloudflare is managed by Bubble unfortunately.
There is nothing we can do here, that’s what the worst

Yeah, it’s a no fun feeling helpless about your own app.

I presume you’ve submitted an official bug report, right?

Your website is under attack and thus cloudflare automatically blocks any data passing.

Weird thing though

I sympathize - But please keep in mind this happens… Hackers are always finding new ways of intruding. My company runs tens of enterprise software apps… Even w/ weekly security reviews, monitoring services, etc, there still are inventive little suckers (hackers) out there who find ways in. So I wouldn’t blame Bubble squarely - Web security changes every day. :frowning:


They’re DDOS’ing you with 20x the traffic that bubble, as a whole, normally gets

We’re consulting with cloudflare for mitigation strategies that will not harm the main cluster. Most of the traffic is coming from botnets located in Russia, Indonesia, and India.


You’re peaking at about 10k requests per second. We’ve added a 5-second JS challenge every 30 minutes that should mitigate some of the bot traffic without taking your site completely offline. Meanwhile we’ll keep evaluating options at our disposal to keep you online as much as possible.

This kind of ransom usually comes from hackers who rent others’ botnets for limited periods of time, so I expect to see a number of attacks over the coming days until we figure out a long-term solution or they get bored.


Sheesh! Pretty wild. I wonder what led to you getting targeted @kodjima33?

Really good work @peterj!


At 14:07 we blocked the site completely
At 17:05 we threw up the challenge

Note that the JS challenge limited the rate of the 21:00 DDoS (requests came in at about 1/3 the rate of the previous attack) and completely neutralized it from the Bubble side.

@kodjima33 Sorry about what we had to do to your app on Sunday. This has been a useful learning, and we’ll get rid of the JS challenge once your attacker gets bored.


Wild, thanks for the detail into this and good work @peterj

1 Like

Thanks for the feedback. @kodjima33 What is your DNS provider ?

@peterj should we expect a more automated responsive defence if Cloudflare is our DNS manager of the domain for a Bubble App ?

1 Like

Sort of? CF admitted that they don’t trigger automatic DDoS protection until ~10krps, which will easily swamp any single bubble app (but obviously not the cluster), and most customers who ask for the limit to be changed ask for it to be raised.

2021Q1 includes some major initiatives for getting more immediate insight into cluster performance (or, in less verbose terms, more fine-grained monitoring and alerting) that should enable us to be more proactive about this sort of thing in general.


This topic was automatically closed after 14 days. New replies are no longer allowed.