|
|
|
|
|
|
by lpapez
1217 days ago
|
|
|
The fact is that you gained unauthorized access to personal information, which might be a criminal offence in your jurisdiction despite your honorable intentions. My advice is to let it go and not implicate yourself any further. Relevant personal anecdote from the EU: one time I was checking the API of a service I wanted to use and managed to obtain full access to the database which among bunch of PII also contained plaintext passwords. Being a good citizen, I decided to report the problem to national CERT instead of the company, because I had prior experience with such reports where the company reacted with a lawsuit threat. The response from CERT was "While your intents are noble, you just admitted to gaining unauthorized access and we will forward this information to the company if they decide to take legal action". This was 2 years ago, luckily the company did not press charges, the data in question is still wide open for hacking and I could not care less anymore. Learned my lesson that there is no room for good Samaritans in web security. |
|
|
Further, I am not sure the company can prove this is unauthorized access when they provide the data without requiring authentication (through negligence). They could claim, we made it open to public but the public is not supposed to download it, but this is a difficult claim, eg, it should have been clearly stated in their website at minimum. It’s a bit like public photography.