I hacked Monster Energy
154 comments
·August 23, 2025gnarlouse
sigmoid10
I wouldn't be surprised if their lack of any response is because they literally have noone to deal with this. They can't seem to fill (or hold) some pretty important IT roles:
https://recruiting2.ultipro.com/MON1009MECY/JobBoard/682eaab...
martin-t
Which in turn is maybe because they are unwilling to offer sufficient compensation. You get what you pay for but this time the tables have turned and it's a big corp getting shafted.
This is not a mom and pop shop struggling to keep the lights on. This is a huge corporation whose CEO has a net worth 4 orders of magnitude greater than the median American of his age. He could pay the whole IT department out of his pocket and barely notice.
I don't feel bad for them.
brianwawok
I’m not sure a drink company throwing 200-500k at a few security hires is going to really do anything. Who is there to validate the quality of these guys?
4ndrewl
You remember "software is going to eat the world?"
_Everyone_ organisation is a tech organisation.
zrobotics
I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.
That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.
kingforaday
I first learned of bobdahacker from his post three weeks ago also headlined on HN: https://news.ycombinator.com/item?id=44723773
willwade
Just a FYI
"I first learned of bobdahacker from *their* post three weeks ago also headlined on HN: https://news.ycombinator.com/item?id=44723773"
(I read their bio :))
unsnap_biceps
Their bio says
> am nonbinary leaning fem and use she/they/he pronouns.
So while they prefer feminine, they explicitly list masculine as okay to use.
squigz
It's like watching the school bully pants the weird kid who's just really passionate about his interests. It's not tough or cool, really it's just pathetic and sad.
evan_
Products like this don't just appear in gas station coolers by themselves, they would have started by identifying a demographic first and then building a product specifically targeted to that audience. They decided to target younger-skewing men, and so they made an energy drink that's neon green and called it "Monster". If they had decided to target over-60 women they would have designed the product much differently.
This isn't just a reactive profile of who they think is buying the product, it's the blueprint for the product.
jmye
And regardless, I would tend to believe that a highly successful, very pervasive consumer product has at least some fucking clue who their customers are, unlike the random dude hacking their site who appears to think he’s an expert in everything because he understands some tech.
Not that HN would know anything about that.
LambdaComplex
"I violated the CFAA, likely committing several misdemeanors or felonies in the process, wrote up a detailed account of what I did (complete with screenshots), and then posted the account on the internet."
For the author's sake, I really hope they don't live in the USA.
kersplody
Or Europe. Or the UK. 10+ prison plus civil damages in all three jurisdictions should it be prosecuted for various "Unauthorized computer access" laws. Even just browsing protected endpoints is a criminal violation. Publishing any info is even a bigger crime.
FYI, if you are a hacker:
1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.
2. Document, don’t exploit
3. Report responsibly
4. Do not publish until fixed. Do not publish documents/images without permission.
5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).
martin-t
Or that they took sufficient care to remain anonymous.
Ms-J
Here is an archived copy of the more complete, original version:
https://web.archive.org/web/20250823172249/https://bobdahack...
billy99k
I contacted the owner of the house I found unlocked and there was no response, so I proceeded to let myself in anyway.
These writeups are Jr. level hacks (I looked through them all). Aside from making the company look bad, you don't really learn much from it because they are so easy.
I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
trinix912
> I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.
Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.
LexiMax
> Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes.
Yeah, there was some serious, "you'll never work in this town again," energy. Glad I wasn't the only one who picked up on it.
Ms-J
Ignore their remarks, the person obviously has no sway at all in the industry and wants a little power.
I'd hire this security professional at my company.
93po
alternatively:
the security guard of the local mall left the door unlocked when the mall was actually closed, and i saw the mall hours that it was closed, but i went in anyway out of curiosity since i was already there
martin-t
Because you certainly are the right person to pass judgement and destroy someone's life based on reading a few blog posts.
SoftTalker
That's actually pretty representative of the people I see drinking Monster drinks.
mrangle
Since most people are lower income, and therefore a high-market share low unit price gas-station drink company like Monster will by definition have to have its largest customer base be from the largest ie: poorer demographic, the only slightly revelatory information is that the demographic is younger, male, and leans Hispanic.
This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).
Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.
b_e_n_t_o_n
Haha. White monsters are pretty popular with gen-z'ers in general. A lot of us don't like coffee but still want a hit of caffeine and it's basically pure caffeine with a very mild taste. Other sugar free energy drinks have a much stronger sourness (red bull) or more distinctive flavours. I do love the tropical and coconut red bulls though.
The green monsters are definitely more male gamer oriented, but the white, green, pink, rose monsters etc seem pretty popular with people in my generation who fall outside that male gamer demographic.
Personally I prefer red bull now but as I get older I mostly drink coffee.
opan
>Monster Green, which is their full sugar product
Just want to add that all Monster (AFAIK) contains sucralose even if it also has HFCS or other sugar. It's a small amount because it's so potent, so I usually start at the end of the ingredients label when checking if drinks have it. NOS also puts it in their regular drinks. I don't know when they made this change, but I stopped drinking Monster because of it. I used to like the Mean Bean Java Monster quite a bit.
My energy drink of choice these days is Blueberry Red Bull, in case anyone else is looking for an option that tastes better.
Also some brands like Rockstar put it in half their flavors, so you gotta check every can. Even though Killer Citrus is safe (as of 5+ years ago when I last looked anyway), Killer Grape isn't, despite both being of a similar subtype.
thereticent
I've never seen reliable data suggesting that sucralose is harmful. Could be wrong. If you wouldn't mind giving sources, that would be helpful. Or is it just a personal sensitivity? Don't mean to pry. I'm just curious about the issue.
eterm
Given their definition of "Younger" appears to include GenX, even that just means "Boomers don't drink it".
js4ever
It is highly irresponsible to disclose security vulnerabilities publicly, and in some jurisdictions it may even be illegal.
While I understand that the author attempted to contact Monster without receiving a response, publishing details of the vulnerabilities and how to exploit them only puts users at greater risk. This approach is reckless and harmful.
darth_avocado
It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here.
eclipticplane
What _isn't_ common practice is actually copying and posting company material on your blog. Just because a door is unlocked does not give you the right to take materials & post them.
93po
This requires you to have any amount of respect for intellectual property, which many find to be immoral
none_to_remain
I have seen this in practice for vulnerabilities that affect many users of some software. If some Hackermann finds that Microsoft Windows version X or Oracle Database server version Y has a security flaw then disclosure is virtuous so that people using those can take measures. That reasoning doesn't seem to apply here.
dh2022
My understanding is this is the standard SOP for security vulnerabilities: 1. Report the security vulnerabilities to the “victim” 2. Work with the “victim” the schedule for mitigation and publication 3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)
If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.
If the hacker has the emails sent at step 1 he will be fine.
jhanschoo
OP leaked internal business documents as part of their disclosure that had no business being in a disclosure. It looks like minor employee details have been leaked as well, which is very bad.
martin-t
These companies treat fines as the cost of doing business and every time they lose people's personal information, they get slapped on the wrist and laugh it off while the execs get bonuses for having someone write a tearful apology to appear like victims.
I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.
IlikeKitties
Nah, fuck that noise. If the company reacts to a responsible disclosure notice that's nice but no one is under any obligation to help out mega corps to secure their shit. And the users aren't put at risk by the people finding the vulnerability but by the company not fixing it.
Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.
Ekaros
One probably should not release information from company they hacked.
On other side, if it is some piece of software immediate disclosure in public is only reasonable and prudent action. It allows every user to take necessary mitigation actions like taking their services and servers offline.
pizzalife
There is a market for capabilities, i.e zerodays in widely used software. It has value, sometimes in the millions.
No one will buy some shitty XSS on a public website.
js4ever
That argument misses the point. Yes, the company has the primary responsibility to fix their vulnerabilities, but that doesn’t justify recklessly publishing exploits. Once an exploit is public, it’s not just 'the company' that suffers, it’s every customer, employee, and partner who relies on that system.
Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
IlikeKitties
> Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
Correct. And I have good reasons for that. Activism has failed, consequences are required. The inevitable march towards the end of privacy due to the apathy of the unthinking majority of careless idiots will only be stopped when everyone feels deeply troubled by entering even the slightest bit of personal information anywhere because they've felt the consequences themselves.
> If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
I could point to probably thousands of cases where there wasn't any accountability or it was trivial to the company compared to the damage to customers. There's no accountability for large corporations, the only solution is making people care.
93po
let's be clear here, though: the root problem isn't someone finding some sensitive papers left on a printer accidentally, it's the person who left them on the printer to begin with. that's the root failure, and damage that results from that root failure is the fault of the person who left them there.
the american system clearly agrees with this, too. you see it insider trading laws. you're allow to trade on insider information as long as it was, for example, overheard at a cafe when some careless blabbermouth was talking about the wrongs things in public.
pletsch
This is a strange disclosure post.
They may not have had a security email but I’m sure there was some contact this could have been sent to before posting something like this.
Part of me wonders if OP even tried or was mostly just looking to dunk on a company.
darkwater
They did contact them and there was no response. The only one answering were ClickUp folks.
HtmlProgrammer
This feels a bit over the line from disclosure to sharing corporate documents… feels a lil bit crimey
lpapez
IMO the author of the article should lawyer up.
They should not have done any of this in the first place, let alone disclose it publicly in this manner.
I too did similar things when I was younger, riding high on that feeling of power, and learned the hard way that even attempting to hack something can be considered computer fraud in EU.
I was lucky to not suffer any consequences in the long run.
You can brag all you want about being an "ethical hacker", the law is probablycnot on your side - especially if you publish incriminating evidence in the form of an immature post like this.
dlachausse
Ethical hacking requires prior authorization from the organization you’re hacking. This person is a total clown and is absolutely in violation of the law.
daft_pink
I found this actually to be very cute. It’s awesome that their employees have gamified badges and that the photo of their core customer looks so awesome.
bko
I worked at places with "points" you can give to other coworkers, but no reward. I would love to have traded some of my points for monster merch. This can almost read like an advertisement for working at Monster
dustractor
Completely irrelevant to the article, but next time you come across one of those internet crazies who think the Monster logo is satanic, you can troll them by pointing out that it is really just an Ugaritic L -- 𐎍 -- and that one of the original names for the Hebrew god was EL so really Monster is a godly drink, not satanic.
treyd
I thought it was the other way around, that the individual mark is interpreted as a 6 so it's 666?
thereticent
Redundant! Every UPC barcode has a 6 on the beginning, middle, and end. If you've got the mark of the Beast you may as well get Beast Bux.
Reading this article feels like seeing somebody you don't particularly like get pantsed, but feeling bad for them because the person pantsing them is an even bigger idiot. Like Monster is not in tech. In any regard. I'm sure that they contract for 100% of their development.