Ask HN: I found a pretty extreme data leak and I'm not sure what to do
The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is operated by individuals and not under a registered business entity. The anonymous person wants to assure you that no sane person would ever subscribe to it, they are providing technically borderline illegal / grey area services (for they are not licensed as they should), yet there are thousands of paying active users.
The nature of access is such that it is somewhat hard for bots to find, which the anonymous person assumes is the reason it seems untampered with, but they have not tried executing write operations so they have no idea if it may only be read-only access and bots had a field day on it already - they doubt it at this point. The database itself also contains admin credentials to an internal administration interface which HAS write permissions.
Now, there might obviously be some documentation going on, but they are seriously wondering what to do with this before anything else.
As far as they see it, there are three options right now,
1) Contact the site owners themselves and let them know, but the... service they run seems shady, it is not a company, and the anonymous person worries that they might try to simply sweep it under the rug without informing their customers or doing nothing at all about it (if they are even still around, the last admin login in their system seems to be from March even though there are thousands of users still active)
2) Scrape off the email addresses and send emails to the affected individuals, warning them of the data leak, urging them to change their passwords and disable the API keys, however the anonymous person worries that their emails either get routed to spam or ignored by a good amount of them
3) Nuke the data to prevent any future harm
They are super lost.
122 comments
[ 3.2 ms ] story [ 194 ms ] threadhttps://haveibeenpwned.com/FAQs#SubmitBreach
> If you've come across a data breach which you'd like to submit, get in touch with me. https://www.troyhunt.com/contact
Good luck on your OPSEC, should not have used your 7 year old account... might hit up dang to change the account so you don't get kidnapped.
Nuking the data will likely make you a fugitive of the law. I would not advise that.
Here's some quick US related info:
https://www.thefederalcriminalattorneys.com/federal-computer....
They are not realistically expecting gratitude, they are simply not willing to ignore this risk to other humans.
https://en.wikipedia.org/wiki/Personal_jurisdiction_over_int...
The database being wide open has nothing to do with anything, really, except the severity of it all. If you use that information for any purpose you are probably in violation of one or more laws, depending on where you and the data are.
I anal but do not blog about it EVEN IF cleated to do so by a lawyer.
Get a second opinion anyways. It is you who risks prison, not the lawyer.
[You do you, but "letting people know a crypto company in Russia(?) is a bit shady" is not at the same level as walking past a person in trouble and ignoring them. The risks to your person and life of 'hacking' a multi-million dollar financial company, accross national borders, into a country in an active war and sabre rattling to the rest of the world, have got to be worth some serious consideration and not just a hurried blog post written in a couple of days].
Seriously though, I'd just contact Brian Krebs and go from there.
Negotiate your own anonymity with him BEFORE you provide any actual info (this goes for all reporters BTW).
Another option is to drop a write-up in The NY Times or Washington Post Secure Drop TOR service. They both have serious info security reporters.
No guarantee any of these options will pick up the story, of course.
If you want to white hat this you should just contact the admin and mass mail everyone affected and wash your hands of it.
Nuking the site could destroy those peoples crypto forever. Don't do that.
Their cryptocurrency is not stored on this site.
No you don't. If they're just going to bury the truth and hang their users out to dry then the responsible route is to bypass them.
The end goal here is to close the loop hole so those affected can be safe as soon as possible with limited risk to yourself. My first thought was to reach out to either a trusted tech journalist that would keep their sources safe (keeping you anonymous), or reach out to an organization like the EFF which has a strong history of defending peoples digital rights and interests.
I don’t know if either of these are good fits for their original purpose, but that’s where my mind went immediately. I’d think either would make good efforts to close the issue and keep you safe.
Do yourself a favor and never use this alias in here again. Or anywhere else for that matter. Even better delete the whole freaking post.
I understand the urge to share these feelings to someone, but this is way stupid. I've flagged your post btw.
as a matter of fact i'm burgling right now
[https://www.law.cornell.edu/uscode/text/18/1030] 18 US Code 1030, section (a)2(a). Section (b) is something to be wary of as well.
Section (c) seems to say it’s ONLY up to 5 years in federal prison though and $1k fine.
Honestly, doubt anyone would bother if you didn’t try to profit from it, but who knows.
Edit: add link to US Code
I would stop posting about this on the internet.
Personal anecdote: some years back, I was working with a major government agency and I uncovered a huge security problem (a print queue was unprotected and any user could read the ultra-secret, world's-fate-altering documents). I promplty reported the issue and, instead of a commendation, I nearly got myself arrested.
Legal aspects and institutional rules can be complex and counter-intuitive - they can punish even the Good Samaritan!
Again: consult a lawyer before doing anything.
https://krebsonsecurity.com/2022/02/report-missouri-governor...
Within the raw HTML certainly, but not quite cleartext.
The bad guys would have no problem selling this data to make a quick buck.
It is like they have never seen any other regular person with money before.
Except, when you go to withdraw there’s usually some restriction where you can only withdraw to another site account, so you sign up and are forced to deposit some crypto to activate your new account. Then you’ve lost your money.
I am aware of the withdrawal logics.
Many countries have hacking laws that are exceptionally broad, written in the 1980s by legislators who had never even touched a computer. A law might, for example, ban "gaining unauthorized access to a computer system"
This means that if you accidentally find what looks like a security problem, and you look around a bit to make sure you're not raising a false alarm - you're already in violation of the law.
If your country has any such laws, to claim credit for your discovery would be to admit to a crime.
And while you might not have done anything you think of as hacking, put yourself in the mindset of the site operator. They might feel as if you've put a gun to their heads, or that scaring you into shutting up and deleting any data you've downloaded is them protecting their customers - they might go to the cops and give the cops a very different perspective.
If you want to alert the world to this breach, may I suggest downloading the breached data anonymously and e-mailing it anonymously to Troy Hunt of Have I Been Pwned?
https://youtu.be/d-7o9xYp7eE
That's what I would do.
Do not do any of the things you are considering. People go to prison for this stuff.
https://en.wikipedia.org/wiki/Computer_emergency_response_te...