Security Fix: Creator Profile Data Exposure Risk

We recently patched an issue where creator profile endpoints returned more fields than intended. This exposed non-public profile data in page source and, more critically, could have allowed profile fields to be manipulated via certain API endpoints. No passwords, access tokens or other sensitive data was involved.

We’re sharing this to stay transparent. Questions? Contact Pakked on Discord (or support).

What happened

• Creator profile endpoints returned sensitive metadata (email, admin/owner flags, ban flags).

• The same over-permissive responses could be abused via API calls to manipulate profile/resource data.

• Authentication was required, but the payloads were overly permissive.

What we fixed

• Locked down all creator-related queries and APIs to a strict whitelist of public fields only.

• Removed server responses that included sensitive columns; write paths now validate and constrain allowed fields.

• Updated creator pages, explore, collections, and resource comments to consume only sanitized profile data.

• Added internal checks to prevent similar over-sharing in future endpoints.

Impact

• Read: Non-public profile metadata could be viewed.

• Write: Certain profile fields could have been manipulated through API calls.

• No evidence of password/token exposure or auth bypass after checking logs.

Prevention going forward

• Enforced a reusable public-field selector across creator/resource endpoints.

• Hardened request validation on profile mutations.

• Added review gates for any new queries touching profile data.

We’re extremely sorry this occurred. Based on our checks, your data was not accessed and no malicious actions were taken.

Big thanks to @mcmistrzyt on Discord for spotting and helping out.