[nerdawson]

I'd question whether the potential blowback of doing the right thing is actually worth it.

Some organisations will be grateful for your help and you get that warm feeling that comes with knowing you've helped to protect peoples data. But, when it goes wrong and you become the target of the organisation's ire, the personal consequences can be severe.

Example: https://news.ycombinator.com/item?id=29745960

[g48ywsJk6w48]

I absolutely agree. It is unlikely that I will be thanked for such an act.

Destroy the reputation of a company with 10+ years of experience on the market. And force dozens of other companies across the U.S. to apologize to their customers for leaking data.

Not to mention lawsuits and fines for such a leak.

[exikyut]

How about this for an idea:

1. Find the least-incriminating/reputationally damaging records within whatever quantum of the data you are prepared to look at

2. Make a website (with a landing page like for security bugs >.>), Tor site, pastebin dump or whatever else that seems reasonable

3. Publish 1-10% of the data (!)

4. Encourage the site to do the news rounds

5. Explicitly email the company to be concretely sure they know about the site (maybe even do the CC bomb thing, for extra overkill bonus points)

6. Provide contact info with clear indication you will promptly provide all info to an adequately verified third party

The leak should disappear within the hour presumably.

Naturally, brain-breaking levels of self-protection would necessarily need to be employed, to guard against incompetent/egoistic retaliation (and the systemic resources large organizations effectively own). Make the Protonmail address from a VPN over a VPN over Tor, for example. Or perhaps start with a voice-scrambled VoIP call before committing to a video chat. Good luck here, basically.

[oefrha]

Take this advice if you want to make sure you have a good chance of ending up arrested. That is to say, don’t.

Your opsec is always poorer than you think it is.

Just send an anonymous tip to Brian Krebs or similar if you want to do the noble thing.

[exikyut]

Mmmm. Yeah the above is my lack of experience talking hehe. The very last thing to take armchair advice on lol

[pushedx]

This is almost exactly the opposite of what you should do in this situation

[jasonhansel]

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

[lopatin]

> 3. Publish 1-10% of the data

What?

[vorpalhex]

Proceed anonymously. Make sure the cost to identify you exceeds the theoretical damage of the hack.

[schoen]

Probably the best advice in this thread so far (better than mine, I think, at least) is

https://news.ycombinator.com/item?id=34934091

It's an approach that's specifically calculated to minimize the blowback.