Good read for Arc users. Here’s the tl;dr from Arc’s response:

• confirming they had fixed the issue
• they are adding a feature to disable boosts in the client, preventing this vulnerability from happening on people that do not use boosts
• they are doing an audit of their current firebase ACL rules internally
• they have estabilished proper protocols for security issues

additionally, from internal discussions with arc they are also:

• are fixing the mentioned privacy concerns in the v1.61.1 update
• moving off firebase for new features and products
• they are doing a external security audit for this version
• are starting a bug bounty program for further vulnerabilities