Ask HN: Found a leak of US citizens personal data. Should I report it?
Security research is my hobby.
Yesterday I found a pretty big (estimated at tens of thousands of records) data leak.
Full name, date of birth, mail, phone, address.
Nothing to do with the company.
The company in California, I'm in Canada.
It's a data operator its customers are other companies from different states in the US. Texas, California, Florida and others.
I don't think I have the right to download all the leaked data. But my several checks showed that all clients and end-user data is available.
What should I do about it?
84 comments
[ 2.9 ms ] story [ 150 ms ] threadResponse was: Please do not ever communicate directly with anyone from a federal law enforcement agency. Only talk to them through an attorney. They are most definitely not on your side.
Then I wrote in response: The guy is from Canada.
So all three of your guesses are wrong. I'm stating that a Canadian has much less to worry about (compared to a US citizen) when contacting a US law enforcement agency about a compromise in the security of a US company that impacts multiple US states.
Some organisations will be grateful for your help and you get that warm feeling that comes with knowing you've helped to protect peoples data. But, when it goes wrong and you become the target of the organisation's ire, the personal consequences can be severe.
Example: https://news.ycombinator.com/item?id=29745960
Destroy the reputation of a company with 10+ years of experience on the market. And force dozens of other companies across the U.S. to apologize to their customers for leaking data.
Not to mention lawsuits and fines for such a leak.
1. Find the least-incriminating/reputationally damaging records within whatever quantum of the data you are prepared to look at
2. Make a website (with a landing page like for security bugs >.>), Tor site, pastebin dump or whatever else that seems reasonable
3. Publish 1-10% of the data (!)
4. Encourage the site to do the news rounds
5. Explicitly email the company to be concretely sure they know about the site (maybe even do the CC bomb thing, for extra overkill bonus points)
6. Provide contact info with clear indication you will promptly provide all info to an adequately verified third party
The leak should disappear within the hour presumably.
Naturally, brain-breaking levels of self-protection would necessarily need to be employed, to guard against incompetent/egoistic retaliation (and the systemic resources large organizations effectively own). Make the Protonmail address from a VPN over a VPN over Tor, for example. Or perhaps start with a voice-scrambled VoIP call before committing to a video chat. Good luck here, basically.
Your opsec is always poorer than you think it is.
Just send an anonymous tip to Brian Krebs or similar if you want to do the noble thing.
What?
https://news.ycombinator.com/item?id=34934091
It's an approach that's specifically calculated to minimize the blowback.
However that said, there is no upside in you reporting the leak, only downside potential.
There is - not letting it be - raising awareness and contributing to prevention of a normalization of such things. If everyone would hold "let sleeping dogs lie"/"not my circus, not my monkeys" attitude it would gradually become a norm and this benefits no one (but possibly bad actors).
However, exercising caution never hurts, so it shouldn't be a bad idea to reach out anonymously and explicitly state that you have nothing to do with the issue at hand and merely an observer who had noticed its existence. Doing so through a trusted third party who are experienced (many names in comments already) with handling such situations is probably the best approach.
It already is a norm. Companies and organizations leak data constantly and there are near zero repercussions. A best a tiny fine that's utterly irrelevant to their fiscal position. An hour of earnings.
Meanwhile individuals who are trying to do good more often than not are accused of hacking, blackmailing, CFAA violations, etc and may end up with serious individual repercussions, fines, fees, or jail.
It's absolutely not worth it on an individual basis. I cannot stress this enough.
[0] https://securedrop.org/directory/
Also, to have your first contact with the company be “I’ve found a problem and I want money” might get Legal rather than IT involved, and then you’re on the back foot.
No? Zerodium.
If it's related to protecting children or a vulnerable group, maybe report it. Otherwise, whatever.
Either way, don't do it in a way that they know it was you who found it.
Morally they should “do the right thing”, but as many have explained in the comments, this will end up costing anything from reputation to money to freedom.
It really sucks that the only sane advice here is to sit on it and move on :(
https://www.facebook.com/.well-known/security.txt
https://www.apple.com/.well-known/security.txt
https://www.amazon.com/.well-known/security.txt
https://www.google.com/.well-known/security.txt
https://www.facebook.com/.well-known/security.txt
https://www.apple.com/.well-known/security.txt
https://www.amazon.com/.well-known/security.txt
https://www.google.com/.well-known/security.txt
The RFC for it came out April 22 and has backing by quite a few organizations.
https://securitytxt.org/
the typical cost of legal actions pursuant to a data breach are so low, it doesn't make dollars or sense to give a shit about customer infosec.
It's not like we don't have perfectly capable people, or that the companies in question don't care about information security in general. For example, it's exceedingly rare to see a data leak that makes individuals or institutions look bad from a PR standpoint (like Snowden).
But customer data? why bother? what, are they gonna slap us with a million dollar class action? I'm quaking so hard in my boots my multibillion market cap is gonna fall off.
Relevant personal anecdote from the EU: one time I was checking the API of a service I wanted to use and managed to obtain full access to the database which among bunch of PII also contained plaintext passwords. Being a good citizen, I decided to report the problem to national CERT instead of the company, because I had prior experience with such reports where the company reacted with a lawsuit threat. The response from CERT was "While your intents are noble, you just admitted to gaining unauthorized access and we will forward this information to the company if they decide to take legal action".
This was 2 years ago, luckily the company did not press charges, the data in question is still wide open for hacking and I could not care less anymore. Learned my lesson that there is no room for good Samaritans in web security.
Further, I am not sure the company can prove this is unauthorized access when they provide the data without requiring authentication (through negligence). They could claim, we made it open to public but the public is not supposed to download it, but this is a difficult claim, eg, it should have been clearly stated in their website at minimum. It’s a bit like public photography.
On the other topic: it definetly isn't anything like public photography you mentioned, at least not in my jurisdiction. Here it is enough that the company says "you were not supposed to see that data" and that is enough to claim unauthorized access. It is then up to the court to prove that they had adequate protections etc.
The OP says they are based in Canada. It definetly warrants hiring a lawyer to get advice on this matter, but IMO it is not worth it at all. The best possible outcome is getting a tap on the back and a thanks from the company, the worst possible outcome is legal proceedings. Expected net gain is negative.
https://www.vice.com/en/article/pkpmj7/this-is-the-hacking-i...
"In the US/Canada things are like this. It sounds like it's China."
It's literally not China, but the US/Canada. It sounds like the US/Canada. Because it is.
It doesn't sound like China. It sounds like the US, because it is.
Yet you are not prepared for an important consequence of the results of your research.
Perhaps you should consider changing hobbies.