Back to Blog
securitysupabaserlsfintechincident

The Supabase RLS Mistake That Left My Ledger Public (Simply Explained)

A plain-language guide to supabase row level security mistake. No jargon, no tech speak, just what it means for your business.

By Mike Hodgen

Want the full technical deep dive? Read the detailed version

The Email That Said CRITICAL

The subject line just said CRITICAL. I almost ignored it. The software I use sends a lot of email.

I'm glad I opened it.

One of my business databases had been left wide open. Not a test project. The real one. The database holding the full financials for one of my businesses. Profit and loss. Cash position. Everything.

Here's what that warning meant in plain English. Anyone who found the address of that database could read it, change it, or delete the whole thing. No password. No lock on the door. Just walk in.

The address wasn't secret either. It's the kind of thing that's easy to find if you know where to look.

So the situation was simple and ugly. A database full of money numbers, sitting on the open internet, with nothing standing in the way.

The worst part: this database was never supposed to be reachable by the public at all. It was a behind-the-scenes system. No customers. No login screen. It just did math and stored results in the back room. And yet there it was, sitting on the street with the door propped open. Because of one default setting I never thought about.

I built that system fast. It worked. It had been running for months. And the whole time, the door was open.

Why "Build Fast" Tools Leave the Door Unlocked

The tools that let you build software in a weekend are great. But they come with a catch most people never hear about.

Think of it like a new house from the builder. They hand you the keys, but every door and window is unlocked by default. The assumption is that you'll go around and lock everything before you move your valuables in.

Most people never do. They assume the builder handled it. The house looks finished, so they trust it's secure. It isn't.

That's the first problem. New databases come unlocked. You have to choose to lock them, and almost nobody knows they need to.

Here's the second problem, and it's the one that nearly cost me everything.

Even if you lock the front door, these systems let you build "windows" into the data. Shortcuts that make it easier to view your numbers. And those windows ignore the lock on the front door entirely.

So you can lock the room, see the green checkmark, feel safe. Then someone climbs in through a window you forgot was there and walks out with the whole ledger.

That's exactly what happened to me. Three of those windows were leaking my most sensitive financial reports. The profit and loss. The cash flow. The full balance. All of them open, even though I'd locked the room they sat in.

Don't Trust the Smoke Alarm. Do the Inspection.

Here's the detail that changed how I treat every project I build.

The warning email only showed me one problem. One unlocked door. I figured I'd fix that one thing and walk away.

Then I opened the full security report inside the dashboard. Three more leaks the email never mentioned.

The email is like a smoke alarm that only goes off for one kind of fire. The full report is the actual home inspection. If I'd trusted the email and stopped, I'd have left my three most sensitive financial reports wide open and felt great about it.

Lesson: never trust the summary. Pull the full report every time. The most dangerous problems were the ones that never hit my inbox.

The One-Hour Fix, Then the 40-Project Sweep

Locking it all down took about an hour. Most of that hour was just hunting down every hidden window to make sure I'd caught them all.

The fix itself was straightforward. Lock every door. Make every window respect the locks on the room it's in. A couple of extra steps to close smaller gaps. Done.

For a behind-the-scenes system like this, the answer is simple: lock everyone out. My own server has its own special key that still works, so nothing breaks. Everyone else gets nothing. That's exactly how a back-office database should behave.

But here's where it got real. One leak is a clue, not a conclusion.

So I checked all 40 of my projects for the same problem.

I found 8 more with the identical leak.

Several were projects I'd have sworn were locked down. Green checkmarks everywhere. The rooms were genuinely locked. And the windows were leaking the data anyway, because they hid behind the same green checkmark that made me feel safe.

That's the trap in one sentence. The dashboard tells you the room is secure. The room IS secure. And the data still walks out through a window you forgot existed.

This isn't a knock on the software or on me. It's a pattern. I've seen the exact same thing leak patient health data on a completely different system. Same root cause every time. Build fast, trust the defaults, store sensitive data, and nobody looks until something forces the look.

Here's the gut-punch for anyone who built something quickly: if you shipped a backend fast, you almost certainly have this somewhere. Not maybe. Almost certainly. The defaults make it the likely outcome, not the unlucky one.

"Secure by Default" Is a Myth You Have to Fix Yourself

The platforms that let you launch in a weekend ship unlocked on purpose.

They're built to help you get started fast, not to keep you safe. That's an understandable choice. A tool that forced you to set up security before you could even test an idea would lose everyone.

That tradeoff is fine if you know it exists. It's a disaster if you assumed the platform had your back.

I build fast all the time, so I won't pretend otherwise. Speed has a tax. The tax is usually paid in security gaps nobody sees, until an email shows up with one word: CRITICAL.

If you built something fast and want to check it yourself, do three things. Open the full security report in the dashboard, not just the email. Find every shortcut window into your data and confirm it respects the locks. And make sure every room is actually locked, not just assumed to be.

Do those three and you'll know more about your exposure than most teams who built with AI ever bother to find out.

This is the audit I run across an entire business in a day. One incident is a clue. The full sweep is where the real risk lives. If you want a second set of eyes on yours, have me run the same audit on your backend.

Want to explore what AI could do for your business?

Book a free 30-minute strategy call. No pitch deck, no sales team. Just a real conversation about your operations and where AI fits.

Book a Discovery Call

Get AI insights for business leaders

Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.

Ready to automate your growth?

Book a free 30-minute strategy call with Hodgen.AI.

Book a Strategy Call