DigiNews

Summary

An open-source SaaS project Kaneo faced a large-scale phishing attack that exploited its signup flow and email deliverability, sending 14,520 invitations to recipients via compromised accounts. The author details how the attacker operated, the gaps in the design, and the immediate and longer-term mitigations (CAPTCHA, rate limits, disposable email blocks, and workspace-name filtering). The piece highlights the difference between self-hosted and cloud-hosted threat models and lessons for SMB IT and developers on protecting email trust and user safety.