Is my Bubble app hacked?

So I’ve been noticing some VERY strange activity on my Bubble site.

  1. Random db entries are created in a section (table) that is restricted
  2. Very specific db entries have been deleted, but that should also be restricted.

Both have happened several times and both are restricted to certain types of users.

No matter how much I try, I just cannot seem to make sense of it.

Has anyone else experienced anything like this?

1 Like

Have you looked at your logs to narrow down time stamps and/or looked at the “Created By” field to see which user created the new entries? Do you have anyone added as a collaborator on the app? Is it public/private?

1 Like

Yeah, I’ve looked at the ‘Created By’ field to try and narrow it down. They’re seemingly random users who’ve created the entries. The thing is, there is a field that should auto-populate with certain values that are not being filled in. What’s more concerning is the loss of data. I’m not sure what clues I can use to see who is deleting data. I’m not on the professional plan, so I don’t think I have any logs to sift through?


(Thanks for your reply, though)

1 Like

Log reporting should be included In every package in my opinion. Exactly because of this. At least simple reporting. Maybe not huge dashboards or with great detail, but any paying owner should be able to at least know what is happening in his app. Or maybe as priced add-on. But at least have the option :slight_smile:


I’ve seen quite a few Bubble apps that’s very easy to hack so it’s quite possible your app have been hacked.

Is the app that’s been hacked public or private?

1 Like

That is indeed the right question. Was the app protected in run mode by a password or not? If it isn’t, anyone can find the URL and use the app. It’s not a hack, it is that the internet is an open, public space.

If you want to make sure that doesn’t happen, you should add a password in run mode and of course make the app editing private as well.


Emmanuel can you elaborate and/or point to instruction on how to “add a password in run mode”.


This covers it

Thank you :slight_smile:

Could you please enable a password setting for each page? I would like to set a pwd for admin pages, and not the entire app.

I’m sure others would find this useful too.


You can do this by setting a page load event and redirect users that shouldn’t access some pages. That offers more flexibility to the app builder, and performance wise, checking this for each page would not be efficient.

1 Like

Hi Emmanuel,

I’ve done this but was testing it recently to see if it is strong enough. It is not - it is extremely easy to get around. Rather than document how here, I will reach out to support and let you know (bug report).

Regardless, far more peace of mind would be available if you just let users set this per page.


1 Like

uhhhhh, that doesn’t sound reassuring.

1 Like

What I do for admin pages is assume anyone can get access to them, so in addition to the redirect:

  • All controls are in a group that becomes visible if user has admin access.
  • Data searches have a filter on the user having admin access.
  • Workflows have conditions on the user having admin access.
  • Data privacy settings for user role/admin.

These are excellent and mandatory practices every single Bubble developer needs to implement. If you aren’t doing these things, you are compromising your app and your users’ data. While the Bubble team can make some things easier, it is ultimately up to the developer to build out robust security measures.


Welp, all of my rows of data have been deleted and replaced with ‘hacked’ rows.

Here is what I had on April 8th (94 rows):

And now this is what I have (April 14th)

I only have one workflow that performs a ‘delete’ operation and that page is (should be) only accessible by specific users.

This is, umm… bad.

Hopefully I can restore the data, but more importantly, hopefully I can figure out how this is being done and who is doing this.

1 Like

Could you show me what you’ve found? Or take a look at my app to see if what I’m doing is not secure?

After looking the app it turns out there was some workflows that could delete entries that were not protected by a condition on the user.

The lesson is: if you have some pages that aren’t protected with conditions, users can do a bunch of stuff.

Now the good news is that Bubble has database backups.


Regarding this, when we define some custom action in the workflow editor, do we need to put conditions on the custom action itself, or only in the steps/workflows that call it ?

Just as the “Performance Q&A Guide” thread, it would be interesting to create a “Security Q&A Guide” thread :slight_smile: