Bluesky — Data Breach
Executive Summary
Security researcher David Buchanan discovered a vulnerability in Bluesky's core did:plc identity mechanism that allowed hijacking any account's identity by creating lengthened duplicates of existing decentralized identifiers (DIDs). The researcher demonstrated the exploit by changing the handle of the official @bsky.app account. Bluesky acknowledged the report within 34 minutes and deployed a patch the same day.
What Happened
In June 2023, security researcher David Buchanan discovered a vulnerability in Bluesky's did:plc identity mechanism that allowed him to modify identity information for any account by creating lengthened duplicates of decentralized identifiers. He demonstrated the exploit by changing the handle of the official @bsky.app account and reported the issue on June 1st at 04:51 UTC. Bluesky acknowledged the report 34 minutes later and deployed a patch by 17:03 the same day, giving Buchanan permission to discuss the vulnerability publicly.
Who Is Affected
All Bluesky users were potentially affected by this vulnerability, as the flaw in the core identity mechanism could have allowed any account's identity to be hijacked. The vulnerability existed at the protocol level in the AT Protocol's did:plc system, which manages user identity across the decentralized network.
Why It Matters
This vulnerability exposed a fundamental weakness in Bluesky's decentralized identity system, demonstrating that even the official platform accounts could be compromised. The incident highlighted both the security risks inherent in new decentralized protocols and the importance of rapid vulnerability response, as Bluesky was able to patch the issue within approximately 12 hours of initial report.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.