Do Not Be Surprised if LessWrong Gets Hacked

The recent Anthropic Mythos announcement has sent shockwaves through the cybersecurity community, revealing a trove of zero‑day flaws in large language models trained for code generation. These vulnerabilities enable automated code‑analysis tools to discover and exploit weaknesses at scale, turning what were once niche attacks into mass‑deployment threats. For platforms like LessWrong, which operate with startup‑style trade‑offs, the risk is not that attackers will target high‑value financial data, but that the sheer volume of automated probing could surface any stored credentials, drafts, or private messages.

LessWrong’s own admission that speed outweighs hardening mirrors a broader trend among niche online communities: they lack the resources for comprehensive audits, regular penetration testing, and robust data‑deletion pipelines. The cost of refactoring code to support hard deletion across backups is measured in engineer‑months, a luxury many small teams cannot afford. Consequently, user data—ranging from email addresses to OAuth tokens—remains persistently accessible, creating a low‑but real incentive for opportunistic actors to scrape databases after a breach.

For end‑users, the practical takeaway is to treat platforms without enterprise‑grade security as public bulletin boards. Store passwords, crypto wallet keys, and API secrets in dedicated password managers, and enable TOTP‑based two‑factor authentication wherever possible. While the likelihood of a massive public dump from LessWrong is modest, the evolving landscape of AI‑enhanced attacks means that even modest data exposures can be weaponized at scale. Adjusting personal security hygiene now mitigates future risks as the threat horizon expands.