How My SaaS Got Wrecked by 24,000 Fake Users in 2 Hours.

They say disbelief is powerful. One moment, you're shipping features, sipping cheap coffee at midnight, believing your micro-SaaS is surviving. Next, your metrics explode, and you're not sure whether to cry or call for help.

That was me last night, founder of voicemate.nl, running what I thought was a solid sign-up flow with a queue and auto-cleanup. Until the moment 24,000 spurious signups hit in two hours. It wasn't a new viral wave or a Product Hunt spike; it was a spam tsunami, and my systems stood little chance.

This essay isn’t a boast. It’s a confession, a postmortem, and a survival story. Let’s unpack it.

Background

Voicemate.nl was born out of necessity, not Silicon Valley dreams. Like many side-hustle founders, I had a day job, family responsibilities, and that restless urge to build something that worked while I slept. The idea was simple: an AI-powered voicemail management tool, lightweight enough to run cheaply, yet useful enough to earn real revenue.

The tech stack reflected that “live lean” philosophy: a FastAPI backend running on a single 512 MB Lightsail instance, one worker handling the queue, Stripe for payments, and an auto-delete trigger if users didn’t pay within 20 minutes. Minimal, scrappy, and ruthlessly efficient.

At the time, it felt brilliant, no over-engineering, no wasted money. But beneath that simplicity was a dangerous assumption: that the internet is kind, users are honest, and validation could wait.

Challenges

1. “No One Will Spam My Signup”… Famous Last Words

The signup endpoint was wide open: a simple POST with no throttle. It seemed safe. Who would abuse a silent form tucked behind a minimal UI? Well… apparently, enough spammers to generate 24,000 bogus entries in 120 minutes. No user data was compromised, just my optimism.

2. Mixpanel On Red Bull

One glance at Mixpanel at 2:37 AM, and it looked like Wall Street on stock-market-meme day. The graph didn’t climb, it rocketed vertically. I didn’t watch data; data landed on me like a meteor.

3. Panic and Queue Paralysis

The task queue started behaving like a drunk octopus—slow, tangled, unreliable. I had no time to think. The poor worker, with zero autoscaling, was overdosing on garbage signups. How many later? I’ll learn soon.

4. Saving Grace of the Simplest Architecture

Miraculously, the FastAPI and funnel queue held. Two tiny servers processed everything—but that queue saved the day. It didn’t crash, even under an absurd load.

Solution

A. Lockdown Rate Limits

End-of-night adrenaline turned into code. I added rate limiting straightaway:

IP-based throttling

Global endpoint throttling

Verified signups per minute caps

B. Queue Scaling Controls

I added autoscaling rules: if backlog spikes, spawn another worker, double if need be. This ensures future floods won’t drown the system.

C. Enforced Auto-Expiry & Cleanup

Now, unpaid signups expire within minutes, not 20. And there’s now a “nuke junk” script I can run in 10 seconds if gaggle attacks recur.

D. Added Basic Validation

Even a minimal CAPTCHA or simple email/random token check would’ve stopped a lot. I realized that "not overthinking the form" was naïve security-by-ignorance.

Results

In the end, the chaos didn’t kill the system, though it definitely shaved a few years off my lifespan. Against all odds, my humble little task queue held its ground. The app never fully collapsed, even with 24,000 junk signups hammering it. Once I ran the cleanup script, those fake accounts were gone in minutes, like sweeping confetti off the street after a parade nobody asked for. The downtime? Barely 15 minutes. Most users didn’t even notice, though I certainly felt every second ticking by.

But the real result wasn’t just technical survival, it was perspective. I had built something lean and scrappy that could withstand a storm I never expected, and I came out with stronger defenses for the next round. Most importantly, I learned a lesson every founder eventually gets tattooed on their brain: just because you wouldn’t spam your own form doesn’t mean the internet won’t.

TL; DR

My SaaS, voicemate.nl, was briefly spam-DDoSed with 24,000 fake signups. Systems held—no data was lost. Fixed it by slapping on rate limits, queue scaling, auto-expiry, and clean-up tools. Moral: “No one would do that” is a poor security strategy.