Ask HN: Found a leak of US citizens personal data. Should I report it?

[g48ywsJk6w48]

Security research is my hobby. Yesterday I found a pretty big (estimated at tens of thousands of records) data leak. Full name, date of birth, mail, phone, address. Nothing to do with the company. The company in California, I'm in Canada.

It's a data operator its customers are other companies from different states in the US. Texas, California, Florida and others.

I don't think I have the right to download all the leaked data. But my several checks showed that all clients and end-user data is available.

What should I do about it?

[sixhobbits]

Maybe tell someone like Troy Hunt from haveibeenpawned. He has a pretty good reputation/following for verifying this kind of thing and telling the right people.

[ajdude]

I came into here to offer the same advice, that's exactly what their specialty is.

[g48ywsJk6w48]

Unfortunately, he did not answer for a week. Started thinking data leak is not a super interesting topic for professionals. It happened every week, so my discovery is just another data leak.

[vincent_s]

Or use one of the organizations that have a secure drop instance running [0]

[0] https://securedrop.org/directory/

[j3th9n]

Telling divd.nl (Dutch Institute for Vulnerability Disclosure) can be a good option too.

[lpapez]

The fact is that you gained unauthorized access to personal information, which might be a criminal offence in your jurisdiction despite your honorable intentions. My advice is to let it go and not implicate yourself any further.

Relevant personal anecdote from the EU: one time I was checking the API of a service I wanted to use and managed to obtain full access to the database which among bunch of PII also contained plaintext passwords. Being a good citizen, I decided to report the problem to national CERT instead of the company, because I had prior experience with such reports where the company reacted with a lawsuit threat. The response from CERT was "While your intents are noble, you just admitted to gaining unauthorized access and we will forward this information to the company if they decide to take legal action".

This was 2 years ago, luckily the company did not press charges, the data in question is still wide open for hacking and I could not care less anymore. Learned my lesson that there is no room for good Samaritans in web security.

[aborsy]

Just send from an email not under your real name.

Further, I am not sure the company can prove this is unauthorized access when they provide the data without requiring authentication (through negligence). They could claim, we made it open to public but the public is not supposed to download it, but this is a difficult claim, eg, it should have been clearly stated in their website at minimum. It’s a bit like public photography.

[lpapez]

Sending anonymously could work if possible, here you have to be authenticated with your government email, otherwise they just ignore it.

On the other topic: it definetly isn't anything like public photography you mentioned, at least not in my jurisdiction. Here it is enough that the company says "you were not supposed to see that data" and that is enough to claim unauthorized access. It is then up to the court to prove that they had adequate protections etc.

The OP says they are based in Canada. It definetly warrants hiring a lawyer to get advice on this matter, but IMO it is not worth it at all. The best possible outcome is getting a tap on the back and a thanks from the company, the worst possible outcome is legal proceedings. Expected net gain is negative.

[hlieberman]

You can report it to CISA/USCERT. They will take care of the notification to the end company and protect your identity: https://www.cisa.gov/report

[g48ywsJk6w48]

Unfortunately, they did not answer for a week. Started thinking data leak is not a super interesting topic for professionals. It happened every week, so my discovery is just another data leak.

[nerdawson]

I'd question whether the potential blowback of doing the right thing is actually worth it.

Some organisations will be grateful for your help and you get that warm feeling that comes with knowing you've helped to protect peoples data. But, when it goes wrong and you become the target of the organisation's ire, the personal consequences can be severe.

Example: https://news.ycombinator.com/item?id=29745960

[g48ywsJk6w48]

I absolutely agree. It is unlikely that I will be thanked for such an act.

Destroy the reputation of a company with 10+ years of experience on the market. And force dozens of other companies across the U.S. to apologize to their customers for leaking data.

Not to mention lawsuits and fines for such a leak.

[exikyut]

How about this for an idea:

1. Find the least-incriminating/reputationally damaging records within whatever quantum of the data you are prepared to look at

2. Make a website (with a landing page like for security bugs >.>), Tor site, pastebin dump or whatever else that seems reasonable

3. Publish 1-10% of the data (!)

4. Encourage the site to do the news rounds

5. Explicitly email the company to be concretely sure they know about the site (maybe even do the CC bomb thing, for extra overkill bonus points)

6. Provide contact info with clear indication you will promptly provide all info to an adequately verified third party

The leak should disappear within the hour presumably.

Naturally, brain-breaking levels of self-protection would necessarily need to be employed, to guard against incompetent/egoistic retaliation (and the systemic resources large organizations effectively own). Make the Protonmail address from a VPN over a VPN over Tor, for example. Or perhaps start with a voice-scrambled VoIP call before committing to a video chat. Good luck here, basically.

[oefrha]

Take this advice if you want to make sure you have a good chance of ending up arrested. That is to say, don’t.

Your opsec is always poorer than you think it is.

Just send an anonymous tip to Brian Krebs or similar if you want to do the noble thing.

[exikyut]

Mmmm. Yeah the above is my lack of experience talking hehe. The very last thing to take armchair advice on lol

[pushedx]

This is almost exactly the opposite of what you should do in this situation

[jasonhansel]

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

[lopatin]

> 3. Publish 1-10% of the data

What?

[vorpalhex]

Proceed anonymously. Make sure the cost to identify you exceeds the theoretical damage of the hack.

[schoen]

Probably the best advice in this thread so far (better than mine, I think, at least) is

https://news.ycombinator.com/item?id=34934091

It's an approach that's specifically calculated to minimize the blowback.

[anonymouskimmer]

I would try reporting it to the company, maybe also the FBI or FTC, or if you aren't too comfortable contacting them, you can try also contacting someone like Brian Krebs who presumably knows who to contact about data leaks of this nature. (Krebs' contact form: https://krebsonsecurity.com/about/ )

[speakfreely]

Please do not ever communicate directly with anyone from a federal law enforcement agency. Only talk to them through an attorney. They are most definitely not on your side.

[sargun]

I can second this. My attorney says I can't talk much more about it.

[anonymouskimmer]

The guy is from Canada.

[account-5]

Very my doubt that's going to stop US law enforcement. They go after people all over the world. And if they really want you and your country has an extradition treaty it tends to favour the US side.

[dylan604]

I'm not really sure what your point is. Because they're Canadian, they can't make a call to the FBI? They're Canadian, so they should report to a Canadian authority about US Citizen data? They're Canadian, so they're funny and this is a joke?

[anonymouskimmer]

First I wrote: I would try reporting it to the company, maybe also the FBI or FTC

Response was: Please do not ever communicate directly with anyone from a federal law enforcement agency. Only talk to them through an attorney. They are most definitely not on your side.

Then I wrote in response: The guy is from Canada.

So all three of your guesses are wrong. I'm stating that a Canadian has much less to worry about (compared to a US citizen) when contacting a US law enforcement agency about a compromise in the security of a US company that impacts multiple US states.

[schoen]

You could also check https://iapp.org/resources/article/state-data-breach-notific... and report it to state authorities in the relevant states (whichever you think those are). These notifications are usually supposed to be made by the company responsible for the data breach, but I imagine some of the state authorities would be interested to get a third-party report too.

[g48ywsJk6w48]

Unfortunately, Brian Krebs did not answer for a week. Started thinking data leak is not a super interesting topic for professionals. It happened every week, so my discovery is just another data leak.

[yeahsure]

There are so many possible bad outcomes that can result from these options. Not a good idea at all imho.

[6LLvveMx2koXfwn]

The replies to this post are almost universally depressing. Really? Reporting to the company is so obviously bad for the reporter in the USA? There is no protection from malicious prosecution just for 'reporting' a data breach. That's crazy.

[pksebben]

it's because the patients are running the sanitarium here.

the typical cost of legal actions pursuant to a data breach are so low, it doesn't make dollars or sense to give a shit about customer infosec.

It's not like we don't have perfectly capable people, or that the companies in question don't care about information security in general. For example, it's exceedingly rare to see a data leak that makes individuals or institutions look bad from a PR standpoint (like Snowden).

But customer data? why bother? what, are they gonna slap us with a million dollar class action? I'm quaking so hard in my boots my multibillion market cap is gonna fall off.

[simple-thoughts]

Do nothing. If you or someone contacts law enforcement, you will be hounded for the rest of your life if you are lucky, if unlucky you will go to prison. You seem like a morally upright person, so selling or leaking the data is also not an option. You are not responsible for the incentives created by the justice system, and inaction in the face of justice system incentives is not morally wrong.

[berkle4455]

Do not under any circumstances report the leak with your actual identity. If you want to do so anonymously, go for it.

However that said, there is no upside in you reporting the leak, only downside potential.

[drdaeman]

> there is no upside in you reporting the leak

There is - not letting it be - raising awareness and contributing to prevention of a normalization of such things. If everyone would hold "let sleeping dogs lie"/"not my circus, not my monkeys" attitude it would gradually become a norm and this benefits no one (but possibly bad actors).

However, exercising caution never hurts, so it shouldn't be a bad idea to reach out anonymously and explicitly state that you have nothing to do with the issue at hand and merely an observer who had noticed its existence. Doing so through a trusted third party who are experienced (many names in comments already) with handling such situations is probably the best approach.

[berkle4455]

> it would gradually become a norm

It already is a norm. Companies and organizations leak data constantly and there are near zero repercussions. A best a tiny fine that's utterly irrelevant to their fiscal position. An hour of earnings.

Meanwhile individuals who are trying to do good more often than not are accused of hacking, blackmailing, CFAA violations, etc and may end up with serious individual repercussions, fines, fees, or jail.

It's absolutely not worth it on an individual basis. I cannot stress this enough.

[behnamoh]

Yes it's the ethical thing to report it. Do you know how many people get harassed by stalkers every year in the US? I wouldn't put your name on the report though, just report anonymously.

[CommitSyn]

These comments are doom and gloom from people who have read articles but haven't been there. I've reported over a dozen medium size leaks and not once has the company tried to come after me. They haven't all fixed them, and for those I haven't pushed, but most of the time they're grateful. If you're worried, contact Troy Hunt and have him be an intermediary for you, as others have suggested.

[koo6]

These comments are doom and gloom from people who have read articles but haven't been there. I've crossed the local railway tracks, blindfolded and earmuffed, for over a dozen times, and not once has a train hit me. If you're worried, contact a random australian dude working for one of the biggest cybersecurity threats on the planet, who also seems to pass time by counting cars that pass over a nearby bridge, and have him be an intermediary for you, as others have suggested. It will be great!

[CommitSyn]

Have you ever disclosed a vulnerability? Ever had one to disclose?

[koo6]

no

[g48ywsJk6w48]

Unfortunately, he did not answer for a week. Started thinking data leak is not a super interesting topic for professionals. It happened every week, so my discovery is just another data leak.

[mariuolo]

At best you get a pat on your back, at worst you go to jail: why should anyone take the chance?

[CommitSyn]

For the same reason you should stand up to the police when you know your rights, because if you don't, what's the outcome then?

[lucasyvas]

If it were me I'd honestly do nothing. History has shown it's equally likely to be a lose-lose scenario. Let it remain as-is.

If it's related to protecting children or a vulnerable group, maybe report it. Otherwise, whatever.

Either way, don't do it in a way that they know it was you who found it.

[coffeeblack]

Isn’t any group “vulnerable”? What does that word even mean?

[loktarogar]

Vulnerable groups are physically, mentally, or socially disadvantaged persons. Can be groups like disabled folks, migrants/refugees, and children.

[MonkeyClub]

Everyone is vulnerable when it comes to identity theft, but the OP’s position, should they notify anyone, is a lose-lose one regardless.

Morally they should “do the right thing”, but as many have explained in the comments, this will end up costing anything from reputation to money to freedom.

It really sucks that the only sane advice here is to sit on it and move on :(

[Mandatum]

Ask if they have a bug bounty program first. From ProtonMail.

[MonkeyClub]

Proton isn’t an anonymity silver bullet, and, as others have indicated, your opsec is generally worse than you believe it to be anyway.

Also, to have your first contact with the company be “I’ve found a problem and I want money” might get Legal rather than IT involved, and then you’re on the back foot.

[Mandatum]

Hi, do you have a bug bounty program? Or do you operate a private bug bounty program for security researchers? If so, what is the process to be invited?

No? Zerodium.

[lun4r]

Several commenters suggest to do nothing to stay out of trouble. What if the system is compromised by someone else, possibly with bad intentions, tomorrow? You might already have left traces. If an investigation is conducted it could lead back to you. Not reporting it could get you in a lot more trouble. Read up on the topic of Responsible Disclosure. Or consider reporting it through a lawyer and journalist, as others have suggested

[zamnos]

Depends on how good OP's opsec is as a security researcher. If they're any good, they should know what traces they left. Did they use a VPN via a coffee shop's wifi, or did they connect from home. Canada is a different country from the US though, so it might be time for them to lawyer up and see how extradition works for CFAA violations.

[ElfinTrousers]

Nothing. Burn all the evidence (literally or figuratively as appropriate, use common sense) and walk away. If you're expecting gratitude, if you expect the company to say "my goodness, thank you for finding our security hole", you are setting yourself up for bitter disappointment. Better if you were never here and knew nothing.

[deadfece]

Maybe frame it as a regular bug in a legitimate use context? Lead them to their own discovery of the vulnerability, and they'll think they found it all on their own.

"Oh I used your sample API call but I keep getting out of memory errors." <your code has a bug in it that exposes the vulnerability itself>

[zamnos]

You should yes, but world is full of "shoulds" that aren't followed, often for entirely valid reasons. If the organization doesn't have a public bug bounty program, then I wouldn't report it to them - find an intermediary to whom you can anonymously dump the information to. Even something as trivial "view source" is liable to get you investigated for 'hacking', which is a hassle you just shouldn't have to deal with - here's the story of a journalist in Missouri who had that happen to them.

https://www.vice.com/en/article/pkpmj7/this-is-the-hacking-i...

[fzeindl]

Whatever you do, go to a lawyer first.

[t0bia_s]

I'm asking myself if you have freedom anymore in US/Canada if many here suggest to not reporting data leak because of consequences that it could have. It sounds like dissident behaviour from China.

[cassianoleal]

This is so weird to read...

"In the US/Canada things are like this. It sounds like it's China."

It's literally not China, but the US/Canada. It sounds like the US/Canada. Because it is.

[t0bia_s]

Then why fear from authorities/state?

[cassianoleal]

I don't understand your question. Care to elaborate?

[t0bia_s]

Then I probably don't understand your first response.

[cassianoleal]

I'm just pointing out the cognitive dissonance of seeing something that's literally happening in the US and saying it sounds like China.

It doesn't sound like China. It sounds like the US, because it is.

[j_not_j]

> Security research is my hobby.

Yet you are not prepared for an important consequence of the results of your research.

Perhaps you should consider changing hobbies.

[waihtis]

Look for a www.domain-of-the-company.com/security.txt file. That's where you might find a responsible disclosure contact if the company has one (high chance they don't)

[zamnos]

https://www.netflix.com/security.txt exits, but Apple, Google, Microsoft, and Meta don't have one.

[waihtis]

That would be because I typed the url wrong, it's actually /.well-known/security.txt:

https://www.facebook.com/.well-known/security.txt

https://www.apple.com/.well-known/security.txt

https://www.amazon.com/.well-known/security.txt

https://www.google.com/.well-known/security.txt

[zamnos]

TIL! That's great!

The RFC for it came out April 22 and has backing by quite a few organizations.

https://securitytxt.org/

[tjpnz]

Doesn't seem like a widely used convention.

[waihtis]

That would be because I typed the url wrong, it's actually /.well-known/security.txt:

https://www.facebook.com/.well-known/security.txt

https://www.apple.com/.well-known/security.txt

https://www.amazon.com/.well-known/security.txt

https://www.google.com/.well-known/security.txt

[silverwasthere]

If you want to do the right thing and help fix it use a burner phone to send proof and let someone else break the news who actually has something to gain from it. Like a news agency local to the company perhaps. You have nothing to gain and a lot to lose.

[0xbadc0de5]

Burner phone? Those only exist in the movies, like pew-pew silencers. In real life, mobile telecommunication systems are some of the most easily traced systems of all. Anonymous email like ProtonMail, sent from a free VPN using a downtown Starbucks free WiFi would be far, far more opsec-friendly.

[throwaway290]

EFF perhaps. They have lawyers.