DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage

Original Article ↗ Hacker News Discussion ↗

TeleMessage security failure and heapdump mechanics

  • Central issue: an unauthenticated /heapdump (Spring Boot Actuator) endpoint on a message-archiving server exposed heap dumps over HTTP.
  • Some note that Actuator used to expose such endpoints more broadly by default; others stress that exposing them publicly still requires misconfiguration (e.g., over‑permissive exposure.include=*, same port as app, no auth).
  • Docker Compose auto-opening ports and weak firewalling are cited as compounding factors.
  • Heap dumps contain plaintext in‑flight messages, metadata, and potentially keys and secrets; DDoSecrets appears to have extracted text rather than distributing raw dumps, explaining the 410GB figure.
  • Several commenters argue this is “rookie” opsec, especially for a product sold to governments for compliance.

Espionage vs incompetence

  • Some speculate TeleMessage was an intentional intelligence asset or used for covert collection.
  • Others argue a public heapdump endpoint contradicts a sophisticated espionage design and fits incompetence better (invoking Hanlon’s razor).
  • A middle view: both could be true—exploitation of plaintext archives plus careless exposure.

Government use, regulation, and responsibility

  • TeleMessage’s role is to satisfy legal archiving requirements for encrypted apps; critics note it archives in plaintext instead of using customer-controlled keys.
  • Debate over whether US officials violated rules by using this tool for highly sensitive discussions, even if the app itself may have been on an approved list.
  • Some emphasize that leaders intentionally circumvent official secure channels for deniability; others place blame on IT and acquisition processes.

Signal, forks, and branding

  • TeleMessage’s Signal fork is used as an example of why Signal opposes third‑party clients/forks connecting to its service: one insecure client compromises group security.
  • Discussion distinguishes between protecting trademarks (fairly standard) and Signal’s broader hostility to interoperable alternative clients.
  • Some criticize Signal’s public silence on this incident; others say Signal is not at fault and speaking up would only attract misplaced blame.

Ethics of disclosure and DDoSecrets’ role

  • DDoSecrets is only sharing the data with journalists/researchers, not fully “publishing” it; some see the headline size and “publish” language as misleading marketing.
  • One camp argues for a maximal public leak to impose painful political consequences and deter future misuse of insecure tools.
  • Others warn this veers into accelerationism, risks collateral damage (informants, bystanders, PII), and that “hurting people to wake them up” is ethically dangerous.
  • There is skepticism about journalists’ current ability to check power, and some distrust DDoSecrets itself; details about those concerns are mentioned but not resolved in the thread.

Broader security and policy takeaways

  • Heapdump endpoints and similar debug features are cited as things security standards should outright forbid on internet-exposed services.
  • Some call out Java ecosystem defaults and library authors for underestimating how often developers misconfigure security.
  • The incident is referenced as a potent counterexample to proposals for mandated encryption backdoors and as evidence that “secure for me, not for you” is both common and fragile.