An employee of Rabbit, the company that created the Rabbit R1 artificial intelligence device, gave the hackers access to the product's API. This allowed them to read users' emails and impersonate the service by sending messages from the company's mail server. This was reported by Gizmodo.
In June 2024, a team of hackers calling themselves Rabbitude published a report claiming to have gained access to a large portion of Rabbit's internal code base.
They got hold of the key to ElevenLabs' text-to-speech service, which allowed them to view all users' past text messages. Rabbit initially denied the problem, but later changed its API keys.
“In June, an employee (who has since been terminated) leaked API keys to a self-proclaimed ‘hacktivist’ group, which wrote an article claiming they had access to Rabbit’s internal source code and some API keys. Rabbit immediately revoked and rotated those API keys and moved additional secrets into AWS Secrets Manager,” writes a Rabbit representative.
The hackers claim that the hack took place in May 2024 and Rabbit was aware of it. But the company chose to ignore the problem until Rabbitude published their article the following month.
To prove that the hackers did indeed have access to the company's keys, one of Rabbitude's members sent an email to Gizmodo from Rabbit's internal mail server.
Rabbitude claims that the problem is not that they have taken possession of sensitive data from Rabbit R1 users, but that anyone on the Rabbit team has access to this information. The company shouldn't have embedded its API keys in the code, which allowed too many people to gain internal access.