HackerOne Disclosed Reports - 2025-08-02

Medium
resolved

Unauthorized Disclosure of Private Emails via WakaTime Private Leaderboards

Bug reported by was disclosed at August 3, 2025, 3:23 am   |   Information Disclosure

The vulnerability allowed unauthorized disclosure of private email addresses of WakaTime users through the private leaderboards feature. The email addresses were exposed to leaderboard creators and members, even when the users had not chosen to make their emails public.