Hacker News new | ask | show | jobs
by callesgg 3680 days ago
About a month or so a go i found a open public mongo database with about 12GB of records regarding peoples retirement founds of what i assume was hundreds of thousands of people, account numbers, how much money was in the accounts when they had moved them to various founds and so on.

Thought long and hard about what to do but decided to not do anything, dont feel like risking my entire life just to help someone. This is me assuming they did not intend to have it publicly open.

With that story out there, it would be nice to have a legit legal way to inform the police or a similar trustworthy government agency that could handle issues like this.
7 comments
gregmac 3680 days ago
Bran Krebs (Krebs On Security) breaks these types of stories, though he's a journalist so would publicly disclose it. Very possible he'd contact them privately prior to a story though in the hopes they fix it before publication.
link
aleksei 3680 days ago
In Finland, you can send an anonymous tip to the Communications Regulation Authority, who will then inform the service provider.

Perhaps the FCC has something similar?

link
ScottBurson 3680 days ago
Seems like, at the very least, you could offer it to Wikileaks. Might be too small a story for them to care about though.

I'm looking at 'Have I been pwned' [0], but they seem to care about only breaches that have been publicly acknowledged. Sounds like they don't want to be in the business of breaking this kind of news themselves.

Maybe there needs to be a new Web site for this kind of thing -- located outside the US, of course. (Probably there already is one and I don't know about it.)

[0] https://haveibeenpwned.com/

link
rveeblefetzer 3680 days ago
You could search PGP keyservers for email addresses/domains of the local media where that retirement fund is located and take it from there, using your own judgment about the reporter and outlet, and how much you'd want to mask that communication.
link
x1798DE 3680 days ago
> You could search PGP keyservers for email addresses/domains of the local media where that retirement fund is located

Best case among the likely outcomes of that is: "Can you re-send that e-mail? It's all garbled or something."

link
dreamsofdragons 3680 days ago
Annonomous email through a few proxies from a one time email address should be sufficient.

"I accidentally discovered this when I miss typed an IP."

link
codedokode 3679 days ago
And there should be a responsibility for not applying proper measures to protect personal information.
link
jlgaddis 3680 days ago
US-CERT
link