on may 16, 2024, the rabbitude team gained access to the rabbit codebase and found several critical hardcoded api keys in its code. these keys allow anyone to:

• read every response every r1 has ever given, including ones containing personal information
• brick all r1s
• alter the responses of all r1s
• replace every r1’s voice …and more.

these api keys are for the following services:

• ElevenLabs (for text-to-speech)
• Azure (for an old speech-to-text system)
• Yelp (for review lookups)
• Google Maps (for location lookups)

rabbit’s response we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.

we believe it is important for consumers to be aware of rabbit’s poor security practices, as it can have devastating consequences for r1 users.

we will not be publishing any more details out of respect for the users, not the company.