ghost

That Time I Thought I Got Pwned (But Was Just Being a Noob)

Woke up to suspicious AWS bot traffic hitting my Ghost API endpoints. Spent 5 minutes convinced I was hacked before realizing I'm just an idiot who never read the docs. Turns out Ghost's Content API key is supposed to be public. Who knew? (Everyone except me, apparently.)

Bartosz Maciejewski

30 Jun 2025 — 4 min read

Photo by Glen Carrie / Unsplash

Picture this: Monday morning. Coffee still brewing. Me, opening Matomo analytics with the confidence of someone who definitely knows what they're doing.

The whole thing went like this:

"Oh wow, look at all this traffic! I'm basically TechCrunch now!"

Then I looked closer. That's a lot of requests from one IP. But whatever, bots gonna bot, right? So I check the IP. Amazon EC2 from Virginia. Fancy bot you got there.

Then I made the mistake of checking server logs. Why the hell are they hitting my Ghost API endpoints?

🚨 DEFCON 1 ALERT 🚨

There it was, staring at me from the logs:

GET /ghost/api/content/settings/?key=63239db85e57b8eb36c2708bbe

My brain went straight into panic mode. Years of reading about security breaches had prepared me for this moment. Or so I thought.

Here's what I was SURE was happening:

✅ They have my API key
✅ Full control of my blog acquired
✅ Currently stealing all subscriber emails
✅ Probably replacing my AdSense with theirs
✅ Tomorrow's headline: "POLISH BLOGGER GETS REKT BY AWS BOT"
✅ My LinkedIN bubble will find out I got hacked
✅ Career = over

I was already writing my incident response blog post in my head: "How I Got Hacked and What You Can Learn From My Stupidity."

Plot Twist: I'm Just an Idiot

You know that feeling when you're about to call the fire department, but then realize you just burnt toast? Yeah, that.

Here's the thing. I use APIs like I use my microwave. Push button, get result. Documentation? What's that? On my blog, I only use one API integration that I know about. It's for IndexNow, because SEO and stuff. So when I saw some random API key being accessed, my brain immediately screamed UNAUTHORIZED ACCESS!

What I didn't know (because reading is hard apparently) is that Ghost has this thing called the Content API. And it's not like the Admin API which is all secret and powerful. No, the Content API is basically public. Like, really public.

The Facepalm Moment

Ghost's Content API key is:

Public ✓
Read-only ✓
Literally embedded in your site's HTML ✓
Supposed to be there ✓

Don't believe me? You're looking at it right now. Hit CTRL+U on this very page. Search for "data-key". There's my "super secret" API key, just sitting there in plain sight.

Why? Because your theme needs it to display content. Who would have thought, right?

What Actually Happened

Some bot (probably building a search index or whatever bots do these days) found my site and politely asked for my public content using my very public API key. Like it's supposed to.

And I'm over here ready to nuke my entire server from orbit.

Lessons Learned

First, maybe read the documentation. Just a little bit. Even the titles would help.

Second, not all API keys are created equal. Some are Fort Knox, others are more like... a public library card.

Third, coffee first, panic second. I clearly wasn't thinking straight.

Fourth, and this hurts to admit, but my blog with its dozens of visitors per month is probably not on anyone's hacking radar. Sorry, Bartek, but it's true.

The Silver Lining

At least I didn't tweet about being hacked. Or change all my passwords. Or reinstall my entire server. Or call my hosting provider crying (wait it is me..). So there's that.

Final Thoughts

To the Amazon EC2 bot from Ashburn, Virginia: I'm sorry I thought you were a hacker. You were just doing your job, scraping the web like a good little bot. We cool?

To everyone else: next time you see something weird in your logs, maybe Google it first. Just a thought.

Now if you'll excuse me, I have some documentation to pretend I'm going to read. Right after I finish this coffee.

P.S. Yes, I know I should have known this. Yes, I'm keeping this post up forever as a monument to my shame. No, I will not read the documentation for everything I use. We both know that's a lie.

You always have a choice — support in the way that suits you best!