Andrej Acevski runs Kaneo, an open source project management tool with a hosted cloud version for people who don’t want to manage their own Postgres. Last Thursday he woke up to a Resend quota alert. Someone had used his signup flow to register 942 throwaway accounts, create 942 workspaces with phishing subject lines as their names, and blast 14,520 invitations to strangers — all through his verified sending domain.
No exploit. No vulnerability. They just filled out his form 942 times, used workspace names as the message payload, and let Kaneo’s legitimate invitation emails do the work. His DKIM signature went out on every single one.
The cleanup was straightforward — one Postgres transaction, ROLLBACK first to check counts, then COMMIT. 942 users banned, 947 workspaces deleted, 14,533 invitations cascaded out via foreign keys. About an hour. The hardening took a day: captcha, disposable email blocking, rate limits, workspace-name filter, guest accounts stripped of invite rights.
The bit worth sitting with: self-hosted software and a cloud version of the same software are not the same product. When you self-host, you’re the operator and the user. Nobody’s sending adversarial invitations to themselves. When you run a multi-tenant cloud tier, you’re signing for everything every stranger does through your integrations. Andrej’s Resend domain went on 14,520 phishing emails he didn’t write. That’s the gap.
Worth reading if you run anything with a cloud tier bolted onto an otherwise self-hosted-first project.