Ask HN: What to do when you learn someone's credentials have leaked?
Long story: So i was hanging out on this perfectly legit forum when a sketchy person started to ask if we could provide them 1TB storage that they could pay for but would rather go with a friendly transaction rather than through a business. Sounds nice so far, maybe a fellow FLOSS hacker has too much stuff to backup?
They claimed it was 1TB of logs which raised our suspicions but they said it was all legit and we could look through it they wouldn't mind. So we got a 2MB sample zip but inside were stolen credentials from a third person, as well as - you guessed it - malware named "Passwords.txt.lnk". It looks like the credentials were compiled by a malware called Redline.
So now i have tons of passwords for this poor 3rd party but no way to contact them to let them know they've been pwned. Any ideas? I thought about contacting gmail & others so they can probably SMS this person, but for most of those accounts i could not find contact info for the sysadmins or security team.
Going to the police is probably not gonna help and might get me and other friendly people in trouble for accessing this data in the first place so i'm not going for that. To be clear, i haven't tested any of these credentials but i'm assuming they're real since the usernames/passwords have some resemblance yet subtle variations.
What would you do?
7 comments
[ 2.9 ms ] story [ 28.6 ms ] threadhttps://us-cert.cisa.gov/forms/report
You might want to reach out to the EFF (info@eff.org), or researchers such as Brian Krebs (contact form at https://krebsonsecurity.com/about/) or Troy Hunt (HaveIBeenPwnd, contact page including email: https://www.troyhunt.com/contact/).
It might also be wise to get personal and/or legal counsel to cover procedures and speak for you, which they can do without necessarily incriminating you.
Phil Venables is CISO Google Cloud:
https://www.linkedin.com/in/philvenables
https://www.bloomberg.com/profile/person/20055418
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisati...
I was looking for something on a European level, but Europol seems to care only about money trails as far as I can tell from their website...
Also as previous comment said: get a lawyer. No, seriously, I mean it. The scapegoat game is harsh when someone on the other end reads the term "hacker" or "leak" because they (companies) fear blame and want to avoid it.
How would you inform the user in a useful way?
Directly.. no.. wouldn't work
Indirectly.. Log in to every account through tor. The user will get security notifications from many services which will trigger them to change their passwords