By ByteBot
Adafruit Industries, the NYC-based open-source hardware company beloved by makers and developers for over 15 years, paused its blog last week after receiving a legal demand letter from Flux.ai, an AI-powered PCB design startup. The Hacker News thread hit 623 points and 253 comments within hours. Adafruit’s apparent offense: preparing to publish a responsible disclosure about a server misconfiguration that had left Flux.ai user data publicly exposed. Instead of a thank-you, Adafruit received a letter from Fenwick & West LLP threatening defamation claims and Computer Fraud and Abuse Act violations.
What Actually Happened
The sequence of events matters here. Adafruit discovered that Flux.ai’s servers had a misconfiguration that made user data publicly accessible — not hidden behind authentication, not behind a firewall. Just out there. Adafruit did what responsible security practitioners do: they documented it and prepared to publish a disclosure.
On May 22, 2026, before anything went live, Adafruit received a demand letter from Jonathan F. Lenzner, a Fenwick & West partner and former FBI chief of staff, on behalf of Flux.ai. The letter demanded Adafruit refrain from publishing an article it claimed contained “false and potentially defamatory claims” and raised CFAA claims for allegedly accessing “restricted” information. Adafruit’s position is unambiguous: it accessed only data Flux.ai’s own systems made publicly available through their own misconfiguration, and the reporting was standard responsible disclosure in the public interest.
Adafruit’s leadership — Limor “ladyada” Fried and pt — publicly rejected all claims but paused the blog pending legal review. The result? The story is now on Hacker News, Slashdot, and across the developer community. Flux.ai turned a contained security disclosure into a headline, and the Streisand Effect arrived on schedule.
The CFAA Problem With This Demand Letter
The Computer Fraud and Abuse Act is a 1986 law written to criminalize hacking — intentional, unauthorized access to computer systems. Using it to threaten someone who accessed data left open by a server misconfiguration stretches the statute well past its original purpose.
The Supreme Court narrowed the CFAA meaningfully in Van Buren v. United States (2021). Under Van Buren, if information is not behind an authorization barrier that was bypassed, accessing it does not constitute “unauthorized access” under the CFAA. A misconfiguration that makes data publicly accessible is, by definition, not restricting access. That is precisely Adafruit’s situation.
This pattern has played out before, and badly. Andrew “Weev” Auernheimer found that AT&T had exposed iPad owner email addresses through a similar misconfiguration. He notified AT&T, and when AT&T ignored it, he alerted the press. He was prosecuted under the CFAA, convicted, and sentenced to 41 months in federal prison. The conviction was ultimately vacated on venue grounds — not because the CFAA theory was sound. The Electronic Frontier Foundation has documented for years how the CFAA gets weaponized against researchers. This looks like another entry in that record.
The Real Cost Falls on the Next Researcher
Adafruit is not going away. The company has community support, legal resources, and — critically — New York’s strong anti-SLAPP statute potentially on its side. The legal threat will likely cost Flux.ai more in goodwill than any Adafruit article would have cost them in reputation.
However, the real damage lands on every researcher who sees this and recalculates. The developer who finds a misconfiguration next month, looks at what happened to Adafruit, and decides not to report it. The engineer who discovers exposed user data, thinks about the Fenwick & West letterhead, and closes the tab. Responsible disclosure only functions when reporting a bug costs less than staying silent. Legal threats directly attack that calculus.
Context Worth Having on Flux.ai
Flux.ai raised $37 million in a Series B round in February 2026, bringing total funding to approximately $49 million. Backers include 8VC, Bain Capital Ventures, and GitHub founder Tom Preston-Werner. The company can afford Big Law. Adafruit, while a well-established community institution, is not a $49 million startup. Power asymmetry is part of how this kind of legal pressure works.
Moreover, the HN community surfaced something Flux.ai likely did not want amplified: multiple engineers described poor product experiences — spending $50–100 in tokens without usable output, receiving automated follow-up emails that went nowhere. By threatening a security disclosure, Flux.ai has made its own product quality a secondary story that is now getting far more coverage than it otherwise would.
The Bottom Line
Adafruit found exposed data. Adafruit prepared a responsible disclosure. Flux.ai hired an ex-FBI partner at a Big Law firm and sent a threatening letter instead of saying thank you. The developer community — correctly — reads this as an attempt to silence legitimate security reporting through legal intimidation. Whatever Flux.ai’s misconfiguration exposed, it is exposed far further now. Watch this space: Adafruit has promised community updates, and this case may well test how New York’s anti-SLAPP protections apply to security disclosure in 2026.
