Ask HN: I found a pretty extreme data leak and I'm not sure what to do

107 points by _jvqm ↗ HN
Long story short, through a bizarre chain of events starting from trying to hire a contractor online an anonymous person (the title is from their perspective) has uncovered and has access to thousands of user credentials (email + CLEARTEXT password), associated addresses, company information, as well as associated active API keys for stock and crypto exchange accounts, and to top it all off some of them have withdrawal permissions.

The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is operated by individuals and not under a registered business entity. The anonymous person wants to assure you that no sane person would ever subscribe to it, they are providing technically borderline illegal / grey area services (for they are not licensed as they should), yet there are thousands of paying active users.

The nature of access is such that it is somewhat hard for bots to find, which the anonymous person assumes is the reason it seems untampered with, but they have not tried executing write operations so they have no idea if it may only be read-only access and bots had a field day on it already - they doubt it at this point. The database itself also contains admin credentials to an internal administration interface which HAS write permissions.

Now, there might obviously be some documentation going on, but they are seriously wondering what to do with this before anything else.

As far as they see it, there are three options right now,

1) Contact the site owners themselves and let them know, but the... service they run seems shady, it is not a company, and the anonymous person worries that they might try to simply sweep it under the rug without informing their customers or doing nothing at all about it (if they are even still around, the last admin login in their system seems to be from March even though there are thousands of users still active)

2) Scrape off the email addresses and send emails to the affected individuals, warning them of the data leak, urging them to change their passwords and disable the API keys, however the anonymous person worries that their emails either get routed to spam or ignored by a good amount of them

3) Nuke the data to prevent any future harm

They are super lost.

122 comments

[ 3.2 ms ] story [ 194 ms ] thread
Maybe contact Have I Been Pwned?, work with them to add it to their leak database, notify site owners afterwards with a timeframe for disclosure and release your findings/blog post? Give people a way to check with HIBP, site owners a way to mitigate and claim the credit for the discovery.
This is probably the best option for anyone actually trying to fix the problem.

https://haveibeenpwned.com/FAQs#SubmitBreach

> If you've come across a data breach which you'd like to submit, get in touch with me. https://www.troyhunt.com/contact

Good luck on your OPSEC, should not have used your 7 year old account... might hit up dang to change the account so you don't get kidnapped.

Seriously, this. You just publicly stated you have access to millions.
That is not a very special occurrence. I’d argue you can find almost anyone with access to a million dollars online. Just go to Twitter or so.
Take a look at the hn reaction to your post, this is a special occurence. Regardless it's your decision and I imagine you have your reasons.
Finding such a thing might be somewhat special, but (referring to your comment) having theoretical access to money is definitely not a special thing.
Right, and Have I Been Pwned is about findings.
Yes sir, not contesting any of that, Troy Hunt may receive an anonymous email soon.
He might have tried a burner account that never got approved (so no posting showing up).
I've never been in this situation, but this seems like a good option--reach out to someone like Troy Hunt of Have I Been Pwned or a tech journalist who does security related content(maybe someone at Arstechnica?). They probably know how to raise awareness in a way that reduces their personal liability.
I would scrape the data whole, then contact the site owners and send them a copy, maybe through an attorney.

Nuking the data will likely make you a fugitive of the law. I would not advise that.

Re: steps 2 and 3, they could (and I would emphasize that I'm not a domain specialist) be perceived as being criminal in nature - obviously depending on the jurisdiction(s) involved. With respect to IT, history has shown that the road to a prison cell is paved with good intentions. You might be expecting gratitude but there's a good chance you'll come up against a 'shoot the messenger' mentality.

Here's some quick US related info:

https://www.thefederalcriminalattorneys.com/federal-computer....

Step 3 is definitely and understandably so not a very legal thing to do, however I'm not sure about simply sending off emails? The person in question did not do anything illegal to gain access to this database in the first place, it is wide open.

They are not realistically expecting gratitude, they are simply not willing to ignore this risk to other humans.

Whether you did or didn't do something criminal to gain access to the emails would likely be determined by the mood of the prosecutor on a particular day or, worse, by a judge or jury. Perhaps the most advisable course would be to contact your local bar association for a referral or the EFF.
They are not based in the United States, but I think you are right regardless and they will call an attorney tomorrow.
Not being based in the US doesn't mean that you can't be criminally prosecuted in the US or, for that matter any jurisdiction that takes an interest and has a generous belief in the extra-territorial applicability of its laws.
Just document the fuck out of everything you did dude, no matter what you chose to do.
Trust me, they are.
It doesn't matter if the front door of a house is locked or not. If you go in, you're going to be charged with at least attempted burglary if no one is home, and attempted robbery if someone is home. It's still trespassing, and you'll have a very hard time convincing anyone that you were there simply to observe if you're caught.

The database being wide open has nothing to do with anything, really, except the severity of it all. If you use that information for any purpose you are probably in violation of one or more laws, depending on where you and the data are.

Fair enough. I dont think they are planning to use any information.
Ask the site owners to start a bug bounty program.
Lol, trust me, they will not start a bug bounty program.
Tread very carefully. You probably need a lawyer. Consider reporting with extremely careful anonymity to affected parties. Do not blog about it until and unless cleared to do so by a lawyer.
> Do not blog about it until and unless cleared to do so by a lawyer.

I anal but do not blog about it EVEN IF cleated to do so by a lawyer.

Get a second opinion anyways. It is you who risks prison, not the lawyer.

Option 4: Do absolutely nothing. Slowly step away from the vehicle. And walk away.
They would rather not live in the assumption that they are responsible by proxy/neglect.
"A clear conscience? When did you acquire this taste for luxuries?" - https://www.youtube.com/watch?v=jNKjShmHw7s

[You do you, but "letting people know a crypto company in Russia(?) is a bit shady" is not at the same level as walking past a person in trouble and ignoring them. The risks to your person and life of 'hacking' a multi-million dollar financial company, accross national borders, into a country in an active war and sabre rattling to the rest of the world, have got to be worth some serious consideration and not just a hurried blog post written in a couple of days].

They are, or I wouldn’t be posting here, but I sincerely thank you for your concern and advice.
Since merely knowing what the OP knows already likely implicates him in at least one felony, you (and he) might want to think about that very carefully.
It's either that or probably go to prison. I know what I'd pick :)
Option 5: Take the money and run

Seriously though, I'd just contact Brian Krebs and go from there.

Krebs is not a bad idea as he would cover not only the leak but the (allegedly) shady nature of the service. He’s read by a lot of serious people including law enforcement and national security.

Negotiate your own anonymity with him BEFORE you provide any actual info (this goes for all reporters BTW).

Another option is to drop a write-up in The NY Times or Washington Post Secure Drop TOR service. They both have serious info security reporters.

No guarantee any of these options will pick up the story, of course.

(comment deleted)
You just told the world about a compromised site that has something to do with crypto and stocks. That was your first mistake.

If you want to white hat this you should just contact the admin and mass mail everyone affected and wash your hands of it.

Nuking the site could destroy those peoples crypto forever. Don't do that.

Of course they want to white hat this.

Their cryptocurrency is not stored on this site.

You can't white hat this anymore, what is described is already pretty dark grey.
1) talk to a lawyer to make sure you’re protected 2) read up on anonymous responsible disclosure - you have to give them the chance to patch it themselves in a reasonable amount of time
> you have to give them the chance to patch it themselves

No you don't. If they're just going to bury the truth and hang their users out to dry then the responsible route is to bypass them.

I’ve never been in a similar position; but I’m thinking about what I’d do if I found the same.

The end goal here is to close the loop hole so those affected can be safe as soon as possible with limited risk to yourself. My first thought was to reach out to either a trusted tech journalist that would keep their sources safe (keeping you anonymous), or reach out to an organization like the EFF which has a strong history of defending peoples digital rights and interests.

I don’t know if either of these are good fits for their original purpose, but that’s where my mind went immediately. I’d think either would make good efforts to close the issue and keep you safe.

They have been considering this too, but realistically this is a little known service, there are thousands of it like it, and the affected user count is only in the thousands. I don’t know if any of these people would care in the first place. I will tell an anonymous person to try regardless.
4) Regret posting this publicly.
I have not committed any kind of crime. I'm just telling the story of another person.
You probably have. You just don't know it.
Like 2 days ago you identified yourself as being in the Netherlands. Not sure how much other private info you have leaked in your comments. I recommend deleting everything now while you hopefully still can.
First of all, I'm only telling a story of another unnamed person - besides, what exactly are you so worried about?
That someone will try to locate you and extract the information. You said that there are millions in these accounts and in some cases you can even withdraw money. That sounds like Christmas for criminals.

Do yourself a favor and never use this alias in here again. Or anywhere else for that matter. Even better delete the whole freaking post.

I don't have access to anything. Besides, I'm surprised that they would be the only person you know that has access to money.
Knowing someone who has money isn't the same as knowing someone who can provide access to thousands of active API keys to crypto exchange accounts. I'm not trying to spook you, but you don't seem to understand the severity of what you've just told to the public Internet. We're a bit paranoid in here because we've seen and heard a lot of weird shit over the years. Do yourself a favor and take this seriously, will you.
My car is unlocked in my driveway with the keys inside (it really is, I live in a safe country) In many jurisdictions you’ve done the equivalent of open the doors, sit inside, start the engine and take it for a roll around the block. Except instead of a car worth a few thousand dollars it’s a crypto exchange with possibly millions of dollars of assets.
That seems like an unfit comparison. If anything, they have found your key on the sidewalk, sat inside the car for 10 seconds, and then left again.
This seems like bad advice at this point. I’m not a lawyer. Deleting things could be perceived as destroying evidence. Before doing anything get a lawyer involved.
You've seeked for a key, found it, then deliberately gave it to burglars, in which country is that not a crime?

I understand the urge to share these feelings to someone, but this is way stupid. I've flagged your post btw.

.. deliberately given it to burglars? Absolutely nil has happened besides finding this.
good luck convincing anyone that a site called 'hacker news' isn't full of burglars

as a matter of fact i'm burgling right now

Thanks for the laugh. Okay, guilty by association.
To know what you just admitted to knowing, you did commit a crime in at least some jurisdictions (US being one). Rarely prosecuted, but still.

[https://www.law.cornell.edu/uscode/text/18/1030] 18 US Code 1030, section (a)2(a). Section (b) is something to be wary of as well.

Section (c) seems to say it’s ONLY up to 5 years in federal prison though and $1k fine.

Honestly, doubt anyone would bother if you didn’t try to profit from it, but who knows.

Edit: add link to US Code

In the US unauthorized access of a private system, particularly with financial records or other protected data, is a crime: https://www.law.cornell.edu/uscode/text/18/1030 Doesn't matter how you got access, it just matters that you did it. It is very broad and very vague, but a lot of hackers in the 90's were put in federal prison for some time under this and similar laws.

I would stop posting about this on the internet.

Do the most ethical thing, and keep your good karma intact.
Don't do anything or they may come after you legally too.
Be very, very careful - as ANYTHING you do might land you in hot water. Better consult a lawyer before doing anything.

Personal anecdote: some years back, I was working with a major government agency and I uncovered a huge security problem (a print queue was unprotected and any user could read the ultra-secret, world's-fate-altering documents). I promplty reported the issue and, instead of a commendation, I nearly got myself arrested.

Legal aspects and institutional rules can be complex and counter-intuitive - they can punish even the Good Samaritan!

Again: consult a lawyer before doing anything.

Recently the governor of Missouri, Parson, tried to prosecute a professor who found a huge leak of teacher data. The professor informed the state about it before writing any articles on it and made sure it had been fixed. It just embarrassed the governor, who's office was responsible for security. The governor then proceeded to embarrass himself even more by calling him a hacker (it was raw html) and threatening prosecution and ordering a two year investigation. The professor still had to hire a lawyer and deal with this for two years.

https://krebsonsecurity.com/2022/02/report-missouri-governor...

It changes nothing about your post, but I believe it was Base64 Encoded session state.

Within the raw HTML certainly, but not quite cleartext.

It’s essentially the same. If anyone even searched for that info, several search engines could decode it automatically.
If I see a base64 blob in a webpage, you can bet I'm going to decode it.
(comment deleted)
Reading these comments, it's amazing how hard it is to be a responsible person these days.

The bad guys would have no problem selling this data to make a quick buck.

While the anonymous person understands some of the responses, and will make super sure to do absolutely nil until they have spoken to an attorney (and obviously not access anything on purpose now), they too are a little bit surprised to see some users worried they might get kidnapped and similar.

It is like they have never seen any other regular person with money before.

Great job for being so conscientious about responsible disclosure.
From what you’re describing it sounds a bit like a crypto honeypot … there’s a lot of sites that pose as crypto exchanges but are actually scams, they deliberately expose credentials and have accounts with (fake) millions of dollars in crypto money in them.

Except, when you go to withdraw there’s usually some restriction where you can only withdraw to another site account, so you sign up and are forced to deposit some crypto to activate your new account. Then you’ve lost your money.

It is not a honeypot, it’s a service that uses these API keys.

I am aware of the withdrawal logics.

Fair enough, just thought I’d warn you just in case.
Astounding the lengths people will go to avoid having to provide a real good or service.
Yeah I wouldn’t believe it if I had not seen a few of these firsthand. So much wasted effort…
You can check some logins with ihavebeenpwned.com to see if the list has already been exfiltrated.
WARNING to people reading this comment: The correct URL is haveibeenpwned.com
> Now, I'm obviously documenting this insanity to write a blog post over the next couple of days,

Many countries have hacking laws that are exceptionally broad, written in the 1980s by legislators who had never even touched a computer. A law might, for example, ban "gaining unauthorized access to a computer system"

This means that if you accidentally find what looks like a security problem, and you look around a bit to make sure you're not raising a false alarm - you're already in violation of the law.

If your country has any such laws, to claim credit for your discovery would be to admit to a crime.

And while you might not have done anything you think of as hacking, put yourself in the mindset of the site operator. They might feel as if you've put a gun to their heads, or that scaring you into shutting up and deleting any data you've downloaded is them protecting their customers - they might go to the cops and give the cops a very different perspective.

If you want to alert the world to this breach, may I suggest downloading the breached data anonymously and e-mailing it anonymously to Troy Hunt of Have I Been Pwned?

I will tell an anonymous person to do this, but I’m not sure if Troy Hunt cares about a random one-of-thousands service and a few thousand affected users.
A few minutes ago, you were calling it a "pretty extreme data leak" and "millions of dollars" so I think he'd at least know how to validate the leak and enter it into HIBP.
These statements stand unchanged. The usage of "pretty extreme" could be regarding the "quality" of data, not quantity. Compared to the usual data leaks on HIBP it seems like an occurrence that happens frequently and the affected user count is abysmally low. Some anonymous person might fire off an email to Troy Hunt regardless.
Is this something you'd get extradited for? Sounds like they're not in the same country.
A few years ago I had an app that checked emails for leaks. Never collected the queried emails. Google didn't like it and banned my account without any warning.
Anonymous disclosure to a trusted party is the only correct answer. Excellent advice.
Why don't you try contacting a law enforcement agency, and let them handle it from there on?
If there is something they will not do until they have spoken to an attorney it is exactly this..
What they did is a crime, going to the police to say "hello I did a crime!" is a legal darwin award.
You can contact the police anonymously, or through a lawyer.
I'm surprised nobody has suggested contacting the FBI or other INTERPOL member force.

That's what I would do.

Stop everything you are doing. Contact a lawyer immediately.

Do not do any of the things you are considering. People go to prison for this stuff.

The irony is that data brokers often have this information and will sell to unscrupulous 3rd party buyers.