Hack Club has been handling children's data for 4 years without a privacy policy

2 hours ago 2

how i got here

november 2024. i got an email from github education with the subject line "Set sail with Hack Club High Seas 🚢" and something about it just caught my eye. probably the ship emoji, if i'm honest. but i thought "wow, this looks fucking amazing, i ought to take part."

and i did. got properly hooked, actually. made a few projects - they weren't particularly good, but i had FUN doing them. and that's kind of the whole point, isn't it? there were issues, sure - high seas being slow as hell sometimes, peer voting being a bit dodgy, the inevitable flood of AI generated projects - but most of the other projects were full of heart. you could tell people were actually building things they cared about.

that's what got me invested in hack club. not the free stuff (though that's nice), but the feeling that there was actually a community of teenagers building things and helping each other out. it felt different from everywhere else online.

which is why what i found later was so disappointing.

act one: what they got right (the top slice)

look, i need to start with this: hack club's mission is genuinely brilliant. empowering teenagers to build, ship, and create things they care about? that's important work. most schools treat you like you're just there to absorb information and regurgitate it on tests. hack club says "no, you can make stuff that actually matters, right now."

and the community, when it's working properly, is something special. you know how stack overflow is? ask a question, get downvoted, someone tells you "this has been asked before" without linking to where. discord servers are full of people being passive-aggressive. but hack club built something different - a space where teenagers actually help each other. where you can ask "how does this work?" and get a proper explanation instead of being made to feel stupid.

one person put it perfectly: "if i post in this slack - i get a person who is kind enough to explain it to me in detail and a community to support me on. hack club tolerates none of what i described before, which is the social-norm everywhere else."

the programmes are stupidly cool too. YSWS (you ship, we ship) where teens build projects and hack club sends them hardware, grants or prizes. hackathons where hundreds of students get together to make things. summer of making, arcade, high seas - programmes that reward teenagers for following their interests. hack club bank letting student organisers access fiscal sponsorship and financial tools. neighbourhood offering housing in san francisco for coding projects. this is what makes students actually want to build things, not just show up.

and the transparency thing? groundbreaking. most nonprofits are black boxes - you have no idea where money goes, who makes decisions, how things work. hack club open-sourced their code, their finances (you can see HCB transactions), their processes. teenagers could see exactly how things worked and contribute. there was this whole "leeks" culture where you'd get excited about upcoming programmes because you could see them being built. that is genuinely special.

the opportunities for teenagers to take real responsibility are rare. most places put teens on "youth advisory boards" where you get to feel involved without actually doing anything. at hack club, teenagers are running production systems, organising events, building the infrastructure. that trust in young people's capabilities is outstanding - when it works properly.

the real impact

and look, this isn't just abstract "empowerment" nonsense. people are actually doing amazing things.

one person shared their story: stumbled upon hack club through a github email, was able to ship their first app ever. college admissions didn't go as planned, so they took a gap year. during that year, thanks to what they'd built through hack club, they landed a full-stack software engineering internship at a reputable company and got a freelance gig doing app development. they said "none of them pay well but for my experience and age it is awesome to be able to do things this cool... and i would certainly say Hack Club played a huge role in it."

someone else listed all the things they tried for the first time because of hack club: "I created my first pcb, advanced hardware, VR application, my own programming language, CLI application, a reinforced ML agent, ARM assembly, my mouse, 3D website, mcp, slack discord telegram Bot, a desktop application... All these were my first time!! And the learning from these has much more value in my life then the prizes I got."

another person talked about making a game called voidborne during summer of making. started as "just another project" to get shells (the currency), but "it quickly evolved into smth else. it made me realize not everything i do is for prizes... i genuinely stopped caring about SoM and prizes, and just worked for the sake of making the game i had envisioned, something i could genuinely be proud of. seeing everyone so happy upon shipping it and seeing everyone i knew across slack playing it was the best experience i ever had in hackclub."

that's the magic when it works. teenagers trying things they thought weren't possible. building things they're genuinely proud of. getting opportunities that lead to real jobs and real skills. "i joined for the prizes," someone said, "and stayed for the community."

as zach (the founder) put it: "Ultimately the thing we are trying to do here is create a space where people build real projects they're proud of (and through that, hardcore technical skills), lifelong friendships, and experiences of incredible adventures like traveling across the world to go to a hackathon."

and when that's happening? it's genuinely beautiful.

act two: where it all went wrong (the filling)

but here's where the shit sandwich gets its name.

the data protection failures

so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.

i sent formal breach notifications to [email protected] and [email protected] on july 9th. radio silence. nothing. not even an automated "we've received your email" response.

when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.

when i pointed out that not having a privacy policy is itself a violation, they admitted they got this legal advice from chatgpt. yes. chatgpt. for legal advice about handling thousands of minors' personal data.

thinking "okay, this is just one person who doesn't know better," i was pretty surprised when another intern came at me with the same attitude - "you know that eu can't do a shit with hackclub" because there's no physical presence in europe. when i pointed out payment processors and hosting make them liable, they switched tactics to "it'll never be enforced anyway" because "no one will" take them to court. then called me "annoying" for pushing the issue.

but here's where it gets properly ridiculous. i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.

the exact same pattern. teenage intern using chatgpt for legal advice? concerning. full-time adult staff member doing the same thing? that's not a mistake, that's institutional practice.

the pattern continues

and here's the thing - this wasn't a one-off. it keeps happening.

neighbourhood: exposed full legal names, emails, and home addresses. one community member noted that "many were filed [reports], however, right after one was patched, the organisers would push vulnerable code all again, exposing AGAIN the PII leaks. also, no one was warned that their data was exposed." so they'd fix it, then immediately break it again. rinse and repeat.

juice: leaked participants' names, phone numbers, emails, and flight receipts for over 7 months. two passport numbers were sitting there in airtable, publicly accessible. the endpoint had zero authentication - just pass an email in a URL and get everything. when i reported it, HQ initially claimed "flight receipts were not exposed" and the "most damning information is just phone numbers and names." then people started providing evidence - actual screenshots of flight receipts, passport numbers visible - and they had to walk it back. classic deny first, admit only when caught.

high seas: exposed location data through unprotected endpoints. same story, different programme.

thomas's log files: in september 2025, thomas committed and pushed log files to git containing emails, full names, physical addresses, dates of birth, and phone numbers of 3 minors. the response? private the repo, ask github to clear it from forks, job done. thomas said: "I have since started using git add <fileName> instead of git add ."

mate. that's not learning from a mistake. that's basic git hygiene you should've been following from day one. this is like saying "i learned not to leave my car unlocked after someone nicked it three times."

one person who was affected put it perfectly: "I believe, that if someone leaks data once it could be forgiven, but if it happens multiple times, one should rethink the way that data is handled."

what about notifications?

filed a formal DSAR (data subject access request) on july 18th. three months later: nothing. no email, no data, complete silence. the [email protected] contact got taken down after people complained publicly about it. data deletion requests? same thing - ignored. another user noted: "same for data/gdpr removal requests."

when zach (the founder) finally showed up in meta on july 10th, he said "Improving our policies around data is something that we started about 2 weeks ago and will probably have updates by end of September on."

spoiler alert: end of september came and went. no updates.

the surveillance infrastructure (orpheus engine)

so one day, someone in the community was poking around hack club's public repositories and found something called orpheus-engine. turns out hack club's been running this dagster pipeline every ~6 hours that:

profiles YSWS submission authors across social platforms using bright data and openai
sends full names and countries to third-party APIs (genderize, openai) to guess people's gender
uses OSINT techniques to search for where projects get mentioned across reddit, hacker news, etc.
geocodes addresses and archives project pages/repos
collects git commit emails

was any of this disclosed beforehand? no. opt-in? no. privacy policy explaining it? also no. the community only found out because someone stumbled across it in the public repos.

when people asked about it, staff justified it as "necessary for sponsor analytics" - basically they need to show sponsors demographics and "impact" metrics. which, fair enough, sponsors want data. but maybe tell people you're profiling them across social media first?

the vibecoding problem: when "just ship it" meets critical infrastructure

here's a fundamental problem that underlies a lot of this: the culture of "vibecoding" critical systems.

someone in meta put it perfectly: "Honestly right now it feels like there's too much emphasis on the 'just ship it' mentality, especially for infrastructure that's handling sensitive data or forms the backbone of official events... when you're building systems that manage real user data, participant logistics, and authentication flows, the bar has to be higher. These aren't just random personal side projects, they are the core parts of real experiences that affect real people."

they went on: "From what I've seen, there's a worrying lack of professional oversight or experienced review when it comes to security and infrastructure. Things are being 'vibecoded' quickly spun up without clear planning, code quality control, or long term maintainability."

what's vibecoding? itai explained it: "vibecoding... is to push AI code without looking over it and/or constraining and testing it. unfortunately, when critical infrastructure such as DNS is vibecoded, a LOT of shit will break!"

and break it did. neighbourhood. juice. highseas. thomas's public log files. these weren't isolated incidents - they were the inevitable result of prioritising speed over security when handling people's personal data.

felix and others kept saying "please no more vibe coding" and calling for an actual DPO (data protection officer). but the culture remained: ship fast, deal with consequences later. except when you're dealing with teenagers' passport numbers and addresses, "later" is too fucking late.

the "hacker spirit" of rapid iteration is great for side projects. it's dangerous for production systems holding sensitive data. and hack club never seemed to learn the difference.

minors making critical legal decisions

14-16 year old interns are handling:

gdpr compliance decisions
security breach responses
legal interpretation of data protection requirements
bounty assessments for bug hunters

these aren't "learning experiences" - they're critical legal and compliance roles that require qualified professionals.

the $25 payout incident

so when i reported the neighbourhood vulnerability (the one exposing thousands of users' full legal names), rowan handled it. rowan's a teenage intern. the payout? $25. they'd reduced it from the "base amount" of $50 because:

i reported it via email to [email protected] instead of using their form
i apparently "did not approach the situation with care"

rowan claimed they were "already working on a fix" because someone else reported it in july, and that he "follows up weekly on those reports." which would be fine, except i had screenshots. actual DMs between rowan and thomas where thomas said he "never wanted to fix it" and that "sadly nothing" could be done about the vulnerabilities.

when i pointed this out and shared the screenshots, rowan's response was: "i got to go to bed soon."

and look - i don't blame rowan for this. he's a teenager who was put in charge of security bounty decisions, legal compliance interpretations, and managing bug hunters. of course he's going to bed soon - he's probably got school the next day. the problem isn't that rowan made mistakes, it's that he was put in a position where those mistakes affected thousands of people's data security.

the bounty programme's problems

as one community member pointed out: "Currently the Security Program's payout rules aren't logical - it goes against the founding principals of this program... what we should do is being generous about the payouts - doing so can instill confidence in people's heart, buy people's trust in Hackclub."

another asked: "if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"

the answer from most people was a resounding no.

someone else noted the irony: "also kinda funny given the two people running the security program have gotten several thousands in bug bounties themselves."

the juice vulnerability? i was told my payout would be docked entirely because i shared the vulnerable endpoint in a private group chat (of which less than 10 people saw) after reporting it through proper channels. apparently "responsible disclosure" means "don't tell anyone ever, even in private" - which is a great way to discourage people from reporting issues.

exploitative labour practices

the "regional manager fellowship" pitched as a "near full-time" role for 6 months offers a $350 baseline stipend (works out to roughly $2.69/hour if actually full-time). when challenged about minimum wage, staff responded:

"it's a contractor role" (to sidestep employment law)
"worst case - no regional managers in europe"
"most people would be happy doing it for free"
"a @hackclub.com email is an amazing perk"

teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.

the enshittification process

hack club has followed the classic pattern:

build community goodwill with genuine mission and values
grow large enough that individual users become expendable
prioritise institutional interests over user protection
dismiss criticism as "toxic" or "unconstructive"
rely on defensive PR instead of actual accountability

the community notices

the community's noticed, and they're not exactly keeping quiet about it.

one person put it like this: "i joined hackclub a year ago and it was enjoyable, i had fun building new shit and enjoyed the free stuff because it made me feel my projects were worth spending time on. the community was engaging and helpful. now however? the yswses seem more unpolished... hackclub has become less about creating for the sake of it and more about making sloppy work for free stuff."

another: "Hack Club was once a community. A community that helped each other... A community that built amazing things together. But sometime, this year or last, things had changed quite... drastically... If HC was a community then, I'd say it's now a micro-society. A society, where you do X to exchange for Y, quantity (time/hours) over quality (personality and originality)."

"i really dont like how hc is right now... when i joined around a yr ago it was more technical and it had people actually trying to learn and grow instead of posting random videos of brain rot and meowing every few minutes."

"meta derailed from it's original purpose... it's more about venting about problems in hackclub now rather than taking on direct community issues."

technical conversations have dried up. programmes feel rushed and low-quality - 15+ YSWS in one summer, many being one-day events or minor add-ons. growth metrics (hours spent, submission counts) have replaced actual impact. the open-source culture's eroded.

chris (HQ staff) even acknowledged there's always been drama: "A year ago <#meta> and hack club broadly had every bit as much toxicity and drama as it has today! Like, literally just scroll back to a year ago and read the dozens and dozens of dumpster fire threads about HQ democracy, about how arcade was the worst thing we had ever done..."

but here's the thing - yeah, there's always been drama. but acknowledging "it's always been messy" doesn't excuse the fact that the specific problems now are about data protection, legal compliance, and exploitation of minors. those aren't just "community vibes," those are institutional failures with actual real-world consequences.

the semantic games

when confronted about failures, hack club staff engage in:

arguing about the definition of "data breach" vs "vulnerability"
claiming US location exempts them from GDPR despite processing EU data
using "fellowship" language to avoid labour law
dismissing formal emails as "back channels"
treating 72-hour breach notification requirements as suggestions

email compliance failures

hack club has repeatedly:

automatically opted users into marketing emails when signing up for programmes
re-subscribed users who previously unsubscribed
used physical addresses collected for identity verification for mail forwarding without consent
operated for months without a privacy policy explaining any of this

this violates CAN-SPAM act, PECR, and basic consent requirements.

the response to criticism

when community members raised concerns:

they were told to "just make a PR"
their concerns were dismissed as not understanding how nonprofits work
they were accused of being "toxic" or having a "vendetta"
threads were locked
staff played victim about being "attacked"

one particularly revealing response from max (HQ staff) blamed the community for making things worse:

"what it spiraled into because the fake stuff went out sooner then the truth: • someone DDoS'ed HC • supply chain attacks– people contacting our server providers and almost shut down all HC infra • people finding personal contact info of HC adjacent people (ie. donors) and harassing them • spam/doxing attempts out side of official HC channels"

so instead of acknowledging the root cause - actual data breaches and mishandling - the focus shifted to blaming "fake stuff" and community reactions. classic deflection.

the real-world consequences

one affected user shared: "I don't know who you are, but I feel extremely sorry for you and I think at the very least Hack Club should provide some kind of data protection service for free for some time to people who suffer from their data breaches, and Hack Club should also invest more in preventing them from happening."

another community member noted: "HC should be getting outside parties to do a security test against basically everything ngl, get things verified as safe to process data. there should also be requirements imo for how sites are built, data managed, git repo setup and commits, etc."

but the most telling comment came from someone who experienced it firsthand: "this kinda fortifies my whole issue as well. we should not be letting kids handle this data without proper training. and so far, its very clear that they've had none. or they just simply don't care and want to get something rushed out as fast as possible."

the "small team with limited resources" myth

here's a fun one you'll see constantly when questions come up about security, proper processes, or fair compensation: hack club loves to position itself as a "small team" with limited resources.

max (HQ staff) put it this way: "Hack Club is not a high paying job. People work here and run programs because Hack Club changed their lives and they want to run life-changing programs for the next generation of Hack Clubbers. The work is a labor of love."

sounds noble, right? a scrappy nonprofit doing its best with limited resources? when someone asked about expanding HCB to pakistan, ian responded: "We don't think this is fair, but there is literally nothing we can do to change it without incurring millions of dollars in expenses." another staff member chimed in: "HC is not really big."

except here's the thing: you can check their finances yourself at hcb.hackclub.com/hq - they're transparent about it, remember? when someone thought HQ "only had like 2.5m", another community member corrected them and pointed to the actual balance. as of discussions in 2025, people were citing "$4 million dollars in bank" or more.

let me be clear: they have millions in the bank. not thousands. millions. and yes, zach mentioned it would cost "$1m in development and legal costs to set up HCB for Europe and at least $500k/year in ongoing legal and compliance costs" - which is a lot. but when you're sitting on multiple millions and claiming you can't afford to pay security researchers proper bounties or regional managers minimum wage, the maths doesn't add up.

what they claim they can't afford

hiring qualified legal counsel (instead of consulting chatgpt), (since saying this, they have finally hired a lawyer)
paying bug hunters proper bounties ($25 for hundreds of exposed names)
paying regional managers minimum wage ($350 for 6 months near full-time work)
implementing proper data protection infrastructure
hiring a data protection officer
properly training staff handling PII
fulfilling DSAR requests in a timely manner

but somehow they can afford:

$200k+ openai bills (as mentioned in community discussions about orpheus engine costs)
paying for genderize API to infer gender from names
paying for bright data proxy networks to scrape social media
sending letters and physical prizes to thousands of participants

when challenged about the exploitative regional manager pay, someone pointed out: "assuming 20 RM's are hired and each makes idk, $1750 on average, you get a total expenditure of: $35,000. yeah the budget is suffering so hard because of this /s"

$35,000 to pay teenagers fairly. they have millions. do the maths.

but the justification persists. as one community member noted: "Hack Club has tons of people willing to jump in and help, often for free. They are not starving for hands."

see, it's not that they can't afford it. it's that they don't have to, because teenagers will work for "exposure" and the promise that it's a "labor of love."

the visibility problem

part of how they maintain the "small team" image is by being deliberately vague about who actually works for hack club. when someone asked "Is there a way to identify HC employees and YSWS organizers in the slack?" the responses were telling:

"you can find (most of) the hc employees at hackclub.com/team/" (note: most of them)
"some say on their profiles" (but not all)
"But i dont know why Slack doesnt show roles like Discord, since there is a staff role"

one person noted: "I would appreciate if everybody who worked for HC would put it on their profiles." but many don't. this creates plausible deniability - when a teenage intern gives bad legal advice or mishandles a security report, it's easy to claim "oh they're just a community member" even though they're literally running official programmes.

when questioned about who counts as "HQ staff," someone said "i'd define staff as anyone who gets a paycheck." but even that's murky because of all the "volunteers" and "fellows" and contractors who aren't technically "staff" but are making critical decisions about other people's data.

the opacity serves a purpose: it lets them leverage unpaid or underpaid labour while maintaining the "scrappy small nonprofit" image, even when they're sitting on millions and running programmes that affect tens of thousands of teenagers.

interlude: the cost of "learning experiences"

here's the uncomfortable truth that nobody at HQ wants to address: when you position critical security and legal compliance roles as "learning experiences" for teenagers, the people who pay the price aren't the teenagers learning - it's the thousands of minors whose data gets exposed.

thomas admitted he learned to use git add <fileName> instead of git add . after leaking 3 minors' PII. that's great that he learned something. but those 3 people's data - full names, addresses, dates of birth, phone numbers - was publicly accessible on github. you can't un-leak that.

rowan learned about weekly follow-ups and proper communication after cutting payouts and lying about fix timelines. fantastic personal growth. but thousands of users' legal names were exposed for months while he "learned."

the teenage interns learned that chatgpt isn't a substitute for legal counsel after giving wildly incorrect GDPR advice. wonderful lesson. but EU residents' data protection rights were violated in the meantime.

and the cost isn't just on the community - it's on the interns, volunteers and staff too. as zach himself admitted: "One of the first trainings I had to give some of the interns and new gap years this summer was how not to be emotionally devastated by #meta because there were some posts about them. It sucks that I had to have that conversation before I even had a chance to show some of them how to get a website deployed on Hack Club infra."

he went on: "Staff members lie awake at 11:30 pm on their phones doomscrolling #meta because they care and want to improve. But they are just getting bullied by anonymous people who speak with absolute authority, sometimes make threats, and generally have a bullying and belligerent attitude."

so let's be clear: you put teenagers in critical legal and security roles without proper training. they fuck up (predictably). the community criticises the fuck-ups (reasonably). then you blame the community for "bullying" the teenagers you put in those positions.

the solution isn't training interns to cope with criticism. the solution is not putting people in roles that handle thousands of people's sensitive data in the first place.

this isn't hypothetical harm. these are real people - many of them minors - whose personal information was mishandled, exposed, and inadequately protected because hack club decided that "empowering teenagers" meant putting them in roles they weren't qualified for without proper oversight.

and when challenged on this, the response isn't "you're right, we need qualified adults handling this" - it's "you're being toxic and unconstructive."

act three: what it means (the bottom slice)

here's the thing: i still believe in what hack club could be.

empowering teenagers to build amazing things is important work. the world needs more spaces where young people are trusted, supported, and given real opportunities. the core idea - that teenagers can and should make meaningful things - is right.

the community still has incredible people in it. teenagers helping each other learn, shipping ambitious projects, supporting one another through challenges. the "radical acts of kindness" that built hack club haven't disappeared entirely.

but the organisation has lost its way. it has prioritised growth over sustainability, metrics over meaning, institutional protection over user safety. it's become what it once stood against: another tech organisation that talks about transparency while operating in secrecy, that preaches empowerment while exploiting labour, that claims to care about teenagers while systematically failing to protect their data.

the path forward exists:

remove minors from legal compliance and data protection roles
implement actual data protection processes with qualified professionals
stop playing semantic games to avoid legal obligations
provide proper training and oversight for anyone handling user data
establish clear escalation paths for security issues
publish and follow actual privacy policies
treat security researchers as partners, not annoyances
acknowledge institutional failures instead of playing victim
pay teenagers fairly for real work
return to genuine transparency, not PR-managed disclosure

the infrastructure for greatness is still there. the mission is still valid. the community still has the potential to be something special. but it requires leadership to choose accountability over image management, protection over growth, and people over metrics.

hack club can still be the organisation it claims to be. but it has to want to be better more than it wants to look good. and based on the pattern of responses over the past months, that shift hasn't happened yet.

the story isn't over. but the next chapter will determine whether hack club becomes a cautionary tale about organisational enshittification, or a redemption story about an organisation that listened, learned, and became what it always claimed to be.

right now, it could go either way.

epilogue: what i've learned from all this

i've spent months on this. formal emails, meta posts, private conversations, evidence gathering, arguing with staff, getting called toxic, watching payouts get cut, seeing data requests ignored. honestly? it's been exhausting.

but here's what really gets me: i genuinely wanted hack club to succeed. still do, if i'm honest. the mission is too important to let it fail because of institutional arrogance and mismanagement.

when i first found the neighbourhood vulnerability, i thought "okay, this is a problem, i'll report it properly, they'll fix it, everyone learns something." naive, sure. but i genuinely believed in the whole "we're all learning together" thing.

the response wasn't what i expected:

chatgpt legal advice from multiple staff members
$25 for thousands of exposed names
"you're annoying" for following up
"it'll never be enforced anyway"
three months of ignored DSAR requests
the gdpr contact email being taken down after complaints
being accused of not using "proper channels" when i literally used [email protected]
watching the same developer cause the third or fourth breach with the same "oops learned my lesson" response

but here's the thing - even after all this, i've seen what hack club can be at its best.

one community member put it perfectly: "Some of you (including me) don't seem to realise how lucky we are to have something like Hack Club. Hack Club, a community where we all share the same interest and mindset. Hack Club, a community where I feel empowered and respected. Hack Club, a community where I'm rewarded for, what, following my own interests?!"

they're absolutely right. when hack club works, it's genuinely magical. teenagers building things they never thought possible. communities forming around shared interests. people getting opportunities that change their lives.

but that same person also said: "HQ, I can't speak for others, but all I'm asking for is a bit of transparency. You can't ask us to be constructive when you don't tell us what you've tried, what you've stuck with, and why it works."

and that's the core issue, isn't it? transparency without accountability isn't transparency - it's just PR. open-sourcing your finances is great, but if you're also ignoring GDPR requests and paying teenagers $2.69/hour, the transparency just makes the problems more visible.

the difference between what hack club is and what it could be isn't some impossible gap. it's just a choice. a choice to prioritise the mission over ego. to admit mistakes instead of denying them. to protect teenagers instead of exploiting them.

i hope they make the right choice. because when i think about that person who got their first internship, or the one who built voidborne and felt proud for the first time, or the community member who said they feel "empowered and respected" - that's what hack club should be.

that's worth fighting for. even when it's exhausting.

the question nobody wants to ask

here's the uncomfortable question: is hack club actually good for teenagers?

empowering teens to build things? absolutely yes.

giving teens real responsibility and trust? mostly yes.

but putting teens in legal compliance roles they're not qualified for? no.

exposing thousands of teens' PII through repeatedly preventable security failures? definitely not.

paying teens less than minimum wage by calling it a "fellowship"? also no.

creating a culture where raising concerns gets you labeled "toxic"? really, really not.

the cost-benefit analysis is starting to look pretty grim. how many data breaches is "learning" worth? how much exploitation is acceptable in the name of "opportunity"?

so what now?

here's the thing: the infrastructure for something genuinely incredible is still there.

teenagers are still building amazing things. people are still landing internships because of what they learned at hack club. someone's still shipping their first VR app, their first PCB, their first game they're actually proud of. the community - when it's allowed to be a community and not a grinding machine - is still special.

all the pieces are there:

an engaged community of thousands of teens who genuinely want to build things
programmes that, when properly managed, create real opportunities
financial resources (millions, remember?) to fix the problems
a mission that people genuinely believe in

what's missing is:

actual data protection oversight (hire a DPO, not chatGPT)
proper security review before shipping (professional oversight for sensitive systems)
fair compensation (pay minimum wage at least)
accountability (stop letting the same people cause breach after breach)
transparency that includes admitting mistakes (not just denying everything)

none of this is impossible. it's not even particularly expensive compared to what they're already spending. it just requires admitting there's a problem and choosing to fix it.

the mission - empowering teenagers to build amazing things - is genuinely important. that's why this all matters. that's why people like me spent months trying to get them to listen. not to tear hack club down, but because we wanted it to be better.

and it still could be.

teenagers deserve better than "vibecoded" infrastructure exposing their data. they deserve better than $2.69/hour "fellowships." they deserve better than being called toxic for raising legitimate concerns.

they deserve a hack club that actually lives up to its mission.

the question is: will hack club choose to become that? or will it continue doubling down, denying breaches, dismissing critics, and hoping the community forgets?

i genuinely hope they choose the first option. the potential is there. the resources are there. the community desperately wants to believe in the mission.

all hack club needs to do is choose to be worthy of that belief.

the aftermath: what actually changed

so after all this - the meta posts, the complaints, the evidence, the regulatory threats, the months of criticism - what actually got fixed?

zach promised on july 10th: "Improving our policies around data is something that we started about 2 weeks ago and will probably have updates by end of September on."

end of september came and went. by october 9th, someone noted: "Privacy policy is like the last thing you would make before making any web service public, but HC has lacked it for years."

as of october, the situation looked like this:

what got "fixed":

thomas learned to use git add <fileName> instead of git add . (only took leaking 3 people's PII)
the security bounty programme exists (with shit payouts and questionable rules, but it exists)
some vulnerabilities that were reported got patched (until new code pushed them again)

what didn't get fixed:

no comprehensive privacy policy for hack club's main operations
DSARs still being ignored months later ("it's been several months" as of writing this)
data still stored "in close to a hundred different places" making deletion near-impossible
identity vault still keeping documents indefinitely with no deletion option
orpheus-engine still profiling people without meaningful consent
minors still handling critical data and compliance decisions
same developers still shipping insecure code to production
still no qualified DPO or data protection oversight

one community member noted: "HQ would have to work on only data protection for a couple months straight to get things reasonably better."

but they didn't do that. they just... carried on. new programmes, same problems.

the one bright spot? some community members took matters into their own hands. nest (a hq-sponsored but community-run project) sat down, mapped their data, considered legitimate interests, drafted a proper privacy policy, and implemented it. they showed it CAN be done. as they put it: "Privacy is a human right. To desire privacy is to be human... We're grateful that you trust us to handle your data and I think we should return the favor by respecting you."

if a community project can do it, why can't HQ?

this document represents my personal experiences and observations from july-october 2025. all quotes are real and sourced from hack club's public slack channels or my personal communications. screenshots and evidence available upon request.

if you're a hack club participant whose data was exposed and you want to know what's in the breach, file a DSAR. if they ignore it (like they did mine), file a complaint with your local data protection authority.

if you're a teenager being offered a paid role at hack club, ask about the hourly rate, ask about taxes, ask about employment protections. do the maths. don't let "opportunity" blind you to exploitation.

and if you're hack club staff reading this: i'm still waiting for my DSAR response. it's been several months.

sources & receipts

all quotes are from hack club's public slack channels (meta primarily) or personal DMs. here's a selection of key ones:

on the community at its best:

"if i post in this slack - i get a person who is kind enough to explain it to me in detail and a community to support me on. hack club tolerates none of what i described before, which is the social-norm everywhere else."

Felix Gao

"around last year june i some how stumbled upon hack club in a github email... that day kinda changed everything and was a turing point, i was able to see ppl i could realate too, ppl who have genuine intrest in making things and life long friends and aquintinces... thanks to God i was able to land a full stack software engneering internship at quite a very reputable company here, i may have winged it by applying but my experice with builing apps and websites for my age cleary stood out... none of them pay well but for my experince and age it is awesome to be able to do things this cool... and i would certainly say Hack Club played a huge role in it."

Aadil Noufal

"After participating in soo many YSWS I still find HC more as a place which allowed me to try different things that I would have never even imagined. I created my first pcb, advanced hardware, VR application, my own programming language, CLI application, a reinforced ML agent, ARM assembly ,my mouse, 3D website, mcp, slack discord telegram Bot, a desktop application, idk much more... All these were my first time!! And the learning from these has much more value in my life then the prizes I got."

Anirudh (Anirudh Sahu)

"during SoM, i made the most ambitious project I'd ever even tried to make. a story game that i'd been wanting to make for SO long... it quickly evolved into smth else. it made me realize not everything i do is for prizes... i genuinely stopped caring about SoM and prizes, and just worked for the sake of making the game i had envisioned, something i could genuinely be proud of... seeing everyone so happy upon shipping it and seeing everyone i knew across slack playing it was the best experience i ever had in hackclub."

fireentity (Valerie)

"Ultimately the thing we are trying to do here is create a space where people build real projects they're proud of (and through that, hardcore technical skills), lifelong friendships, and experiences of incredible adventures like traveling across the world to go to a hackathon."

Zach Latta, founder

on the community decline:

"i joined hackclub a year ago and it was enjoyable, i had fun building new shit and enjoyed the free stuff because it made me feel my projects were worth spending time on. the community was engaging and helpful. now however? the yswses seem more unpolished... hackclub has become less about creating for the sake of it and more about making sloppy work for free stuff."

nimit

"Hack Club was once a community. A community that helped each other... But sometime, this year or last, things had changed quite... drastically... If HC was a community then, I'd say it's now a micro-society. A society, where you do X to exchange for Y, quantity (time/hours) over quality (personality and originality)."

QinCai (Raymont)

on data breaches:

"many were filed [reports], however, right after one was patched, the organisers would push vulnerable code all again, exposing AGAIN the PII leaks. also, no one was warned that their data was exposed."

Samuel, on neighbourhood vulnerabilities

"heads up, this is likely referring to when I committed & pushed log files w/o realizing. This leaked 3 people's PII. I let the impact people know, privated the repo, cleared the log file from the history, & requested GitHub to clear it from the forks (w/ a ticket). It's understandable you're quite frustrated with this & I fully admit to my mistake. I'm sorry my mistake caused you this problem. I have since started using git add <fileName> instead of git add ."

Thomas Stubblefield

"I believe, that if someone leaks data once it could be forgiven, but if it happens multiple times, one should rethink the way that data is handled"

Michał Hanak (MHanak)

"I don't know who you are, but I feel extremely sorry for you and I think at the very least Hack Club should provide some kind of data protection service for free for some time to people who suffer from their data breaches, and Hack Club should also invest more in preventing them from happening"

Carlos - 2/10/2025

on vibecoding critical infrastructure:

"Honestly right now it feels like there's too much emphasis on the 'just ship it' mentality, especially for infrastructure that's handling sensitive data or forms the backbone of official events... when you're building systems that manage real user data, participant logistics, and authentication flows, the bar has to be higher. These aren't just random personal side projects, they are the core parts of real experiences that affect real people."

Prox2 (Anonymous)

"From what I've seen, there's a worrying lack of professional oversight or experienced review when it comes to security and infrastructure. Things are being 'vibecoded' quickly spun up without clear planning, code quality control, or long term maintainability."

Prox2 (Anonymous)

"vibecoding... is to push AI code without looking over it and/or constraining and testing it. unfortunately, when critical infrastructure such as DNS is vibecoded, a LOT of shit will break!"

itai (Itai S)

"im fine with hq taking their time to reply, but please no more vibe coding"

Felix Gao

on chatgpt legal advice:

"so. i just had a conversation with Chris, who is full-time staff at hq, and it's honestly shocking how these issues are still being dismissed. when I brought up the fact that exposing physical addresses and other sensitive info is a data breach (regardless of intent), Chris insisted it's 'just a vuln' and not a breach, DESPITE the fact that the law says otherwise. he even doubled down by saying he's never heard the term 'data breach' used that way, and relied on chatgpt instead of actual legal advice."

ella (me), describing conversation with chris (cwalker)

on the bounty programme:

"Currently the Security Program's payout rules aren't logical - it goes against the founding principals of this program... what we should do is being generous about the payouts - doing so can instill confidence in people's heart, buy people's trust in Hackclub."

Cyao

"if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"

junya

"also kinda funny given the two people running the security program have gotten several thousands in bug bounties themselves"

TheTridentGuy (Aiden)

on "small team" with limited resources:

"Hack Club is not a high paying job. People work here and run programs because Hack Club changed their lives and they want to run life-changing programs for the next generation of Hack Clubbers. The work is a labor of love."

Zach Latta

"We don't think this is fair, but there is literally nothing we can do to change it without incurring millions of dollars in expenses"

ian (Ian Madden), on expanding to pakistan

"HC is not really big"

fsh (fish)

"Hack Club has tons of people willing to jump in and help, often for free. They are not starving for hands"

Barthunkle

"It would likely cost about $1m in development and legal costs to set up HCB for Europe and at least $500k/year in ongoing legal and compliance costs, FYI"

Zach Latta

"assuming 20 RM's are hired and each makes idk, $1750 on average, you get a total expenditure of: $35,000. yeah the budget is suffering so hard because of this /s"

Raygen Rupe

on staff visibility:

"Is there a way to identify HC employees and YSWS organizers in the slack?"

Marcus Kauffman

"I would appreciate if everybody who worked for HC would put it on their profiles"

Marcus Kauffman

"But i dont know why Slack doesnt show roles like Discord, since there is a staff role"

csd4ni3l

on minors handling data:

"this kinda fortifies my whole issue as well. we should not be letting kids handle this data without proper training. and so far, its very clear that they've had none. or they just simply don't care and want to get something rushed out as fast as possible"

ella (me)

"If HC cared they wouldn't be panicking about privacy stuff, it would be implied"

itai (Itai S)

"One of the first trainings I had to give some of the interns and new gap years this summer was how not to be emotionally devastated by #meta because there were some posts about them. It sucks that I had to have that conversation before I even had a chance to show some of them how to get a website deployed on Hack Club infra."

Zach Latta

"Staff members lie awake at 11:30 pm on their phones doomscrolling #meta because they care and want to improve. But they are just getting bullied by anonymous people who speak with absolute authority, sometimes make threats, and generally have a bullying and belligerent attitude."

Zach Latta

on zach's response:

"Improving our policies around data is something that we started about 2 weeks ago and will probably have updates by end of September on."

Zach Latta, july 10th 2025

on the aftermath:

"Privacy policy is like the last thing you would make before making any web service public, but HC has lacked it for years"

monosodiumfox (Karakami), october 2025

"HQ would have to work on only data protection for a couple months straight to get things reasonably better"

mahad (Mahad Kalam)

"I think a large part of it comes down to there being close to a hundred different places where data is stored (incl Airtable bases)"

mahad (Mahad Kalam)

"Privacy is a human right. To desire privacy is to be human. To know what we do with your data is to be human... We're grateful that you trust us to handle your data and I think we should return the favor by respecting you."

sph (reiden), Nest team, after implementing proper privacy policy

on community response to criticism:

max (msw)

on the actual mission:

"Some of you (including me) don't seem to realise how lucky we are to have something like Hack Club. Hack Club, a community where we all share the same interest and mindset. Hack Club, a community where I feel empowered and respected. Hack Club, a community where I'm rewarded for, what, following my own interests?!"

community member defending hack club

"HQ, I can't speak for others, but all I'm asking for is a bit of transparency. You can't ask us to be constructive when you don't tell us what you've tried, what you've stuck with, and why it works."

same community member

all quotes are mostly verbatim from hack club slack. thread timestamps and full context available upon request.

thank-you's

first off, to hack club itself: thank you for existing. seriously. for all the criticism in this document, the world genuinely needs more organisations trying to empower teenagers to build things. the mission matters. the real impact on people's lives - the internships landed, the first projects shipped, the friendships formed, the opportunities created - that's real and it's valuable. this document exists because i believe in that mission enough to want it to succeed properly. i want hack club to be better because the alternative - it shutting down or becoming irrelevant - would be worse for everyone.

to the community members who spoke up: thank you. to everyone who posted in meta about data protection, who questioned labour practices, who called out the vibecoding, who asked for transparency, who kept pushing even when called "toxic" - you did the right thing. speaking up when you see problems isn't being difficult, it's how communities stay healthy and organisations stay accountable. special thanks to those who helped gather evidence, who filed proper reports, who tried to work within the system even when it was exhausting and frustrating. you made this document possible.

to the people whose data was exposed: i'm sorry this happened to you. you deserved better protection than you got. you trusted hack club with your personal information and that trust was violated. that's not okay, and it's not your fault.

to the interns and staff who got caught in the middle: this isn't about you personally. you were put in impossible positions by institutional failures and you did your best with what you had. being trained on "how not to be emotionally devastated by meta" before being taught how to deploy a website isn't your fault - it's a sign that something is deeply wrong with how the organisation operates. you deserved better support and better guidance.

to the nest team who actually wrote a proper privacy policy: thank you for showing it CAN be done. "privacy is a human right" - you get it.

and to you, the reader: thank you for making it through 8 and a half thousand words of this. whether you're a hack club participant trying to understand what happened, a parent trying to evaluate the risks, a regulator looking into complaints, another nonprofit trying to learn from these mistakes, or just someone who cares about teenagers' data protection - thank you for caring enough to read this entire thing.

the story isn't over. how it ends depends on what happens next. i hope it's a redemption arc.

Read Entire Article