Supabase Advisory · Leaked-Password Protection Off by Default
Severity: medium · Published: 2025-09-01
Supabase Auth's integration with HaveIBeenPwned · which rejects passwords found in known breaches · is disabled by default on every new project. Combined with the ~700M compromised passwords in circulation, this leaves signups vulnerable to trivial credential stuffing. This is a configuration advisory rather than a CVE, but the exposure is systemic.
Affected
- Every Supabase project created without explicitly enabling leaked-password protection
- Applies to email/password signup flows · not OAuth-only projects
Impact
Users can sign up with passwords like `password123` or previously-breached credentials tied to their email. Credential-stuffing tools automate account takeover against any exposed login endpoint. Impact scales with user base and whether the app holds sensitive data.
Fix
- Supabase Dashboard > Authentication > Providers > Email · toggle 'Leaked password protection' on.
- Set a minimum password length of 12+ characters in the same panel.
- Enable rate limits on signup and login endpoints (on by default; verify).
- Offer TOTP MFA for accounts with real value (payments, admin, private data).
Check your app →