[michaelt]

> Now, I'm obviously documenting this insanity to write a blog post over the next couple of days,

Many countries have hacking laws that are exceptionally broad, written in the 1980s by legislators who had never even touched a computer. A law might, for example, ban "gaining unauthorized access to a computer system"

This means that if you accidentally find what looks like a security problem, and you look around a bit to make sure you're not raising a false alarm - you're already in violation of the law.

If your country has any such laws, to claim credit for your discovery would be to admit to a crime.

And while you might not have done anything you think of as hacking, put yourself in the mindset of the site operator. They might feel as if you've put a gun to their heads, or that scaring you into shutting up and deleting any data you've downloaded is them protecting their customers - they might go to the cops and give the cops a very different perspective.

If you want to alert the world to this breach, may I suggest downloading the breached data anonymously and e-mailing it anonymously to Troy Hunt of Have I Been Pwned?

[suprjami]

Anonymous disclosure to a trusted party is the only correct answer. Excellent advice.

[ffhhj]

A few years ago I had an app that checked emails for leaks. Never collected the queried emails. Google didn't like it and banned my account without any warning.

[_jvqm]

I will tell an anonymous person to do this, but I’m not sure if Troy Hunt cares about a random one-of-thousands service and a few thousand affected users.

[michaelt]

A few minutes ago, you were calling it a "pretty extreme data leak" and "millions of dollars" so I think he'd at least know how to validate the leak and enter it into HIBP.

[_jvqm]

These statements stand unchanged. The usage of "pretty extreme" could be regarding the "quality" of data, not quantity. Compared to the usual data leaks on HIBP it seems like an occurrence that happens frequently and the affected user count is abysmally low. Some anonymous person might fire off an email to Troy Hunt regardless.

[jimmaswell]

Is this something you'd get extradited for? Sounds like they're not in the same country.