rabbit  data  breach:  all  r1  responses  ever  given  can  be  downloaded 

this is unrelated to the announcement saying to unlink your rabbithole connections, but you should still do that.


on may 16, 2024, the rabbitude team gained access to the rabbit codebase and found several critical hardcoded api keys in its code. these keys allow anyone to:

  • read every response every r1 has ever given, including ones containing personal information
  • brick all r1s
  • alter the responses of all r1s
  • replace every r1’s voice

…and more.

these api keys are for the following services:


the most interesting key is for elevenlabs, which gives full privileges. this allows us to:

  • get a history of all past text-to-speech messages
  • change voices
  • add custom text replacements (e.g. “r1” to “ar one”)
  • delete voices (and crash the rabbitOS backend, thus rendering all r1 devices useless)

rabbit’s response

we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.

we believe it is important for consumers to be aware of rabbit’s poor security practices, as it can have devastating consequences for r1 users.

we will not be publishing any more details out of respect for the users, not the company.