Ask HN: I found a pretty extreme data leak and I'm not sure what to do
Long story short, through a bizarre chain of events starting from trying to hire a contractor online an anonymous person (the title is from their perspective) has uncovered and has access to thousands of user credentials (email + CLEARTEXT password), associated addresses, company information, as well as associated active API keys for stock and crypto exchange accounts, and to top it all off some of them have withdrawal permissions.
The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is operated by individuals and not under a registered business entity. The anonymous person wants to assure you that no sane person would ever subscribe to it, they are providing technically borderline illegal / grey area services (for they are not licensed as they should), yet there are thousands of paying active users.
The nature of access is such that it is somewhat hard for bots to find, which the anonymous person assumes is the reason it seems untampered with, but they have not tried executing write operations so they have no idea if it may only be read-only access and bots had a field day on it already - they doubt it at this point. The database itself also contains admin credentials to an internal administration interface which HAS write permissions.
Now, there might obviously be some documentation going on, but they are seriously wondering what to do with this before anything else.
As far as they see it, there are three options right now,
1) Contact the site owners themselves and let them know, but the... service they run seems shady, it is not a company, and the anonymous person worries that they might try to simply sweep it under the rug without informing their customers or doing nothing at all about it (if they are even still around, the last admin login in their system seems to be from March even though there are thousands of users still active)
2) Scrape off the email addresses and send emails to the affected individuals, warning them of the data leak, urging them to change their passwords and disable the API keys, however the anonymous person worries that their emails either get routed to spam or ignored by a good amount of them
3) Nuke the data to prevent any future harm
They are super lost.
> Now, I'm obviously documenting this insanity to write a blog post over the next couple of days,
Many countries have hacking laws that are exceptionally broad, written in the 1980s by legislators who had never even touched a computer. A law might, for example, ban "gaining unauthorized access to a computer system"
This means that if you accidentally find what looks like a security problem, and you look around a bit to make sure you're not raising a false alarm - you're already in violation of the law.
If your country has any such laws, to claim credit for your discovery would be to admit to a crime.
And while you might not have done anything you think of as hacking, put yourself in the mindset of the site operator. They might feel as if you've put a gun to their heads, or that scaring you into shutting up and deleting any data you've downloaded is them protecting their customers - they might go to the cops and give the cops a very different perspective.
If you want to alert the world to this breach, may I suggest downloading the breached data anonymously and e-mailing it anonymously to Troy Hunt of Have I Been Pwned?
Anonymous disclosure to a trusted party is the only correct answer. Excellent advice.
A few years ago I had an app that checked emails for leaks. Never collected the queried emails. Google didn't like it and banned my account without any warning.
I will tell an anonymous person to do this, but I’m not sure if Troy Hunt cares about a random one-of-thousands service and a few thousand affected users.
A few minutes ago, you were calling it a "pretty extreme data leak" and "millions of dollars" so I think he'd at least know how to validate the leak and enter it into HIBP.
These statements stand unchanged. The usage of "pretty extreme" could be regarding the "quality" of data, not quantity. Compared to the usual data leaks on HIBP it seems like an occurrence that happens frequently and the affected user count is abysmally low. Some anonymous person might fire off an email to Troy Hunt regardless.
Is this something you'd get extradited for? Sounds like they're not in the same country.
Re: steps 2 and 3, they could (and I would emphasize that I'm not a domain specialist) be perceived as being criminal in nature - obviously depending on the jurisdiction(s) involved. With respect to IT, history has shown that the road to a prison cell is paved with good intentions. You might be expecting gratitude but there's a good chance you'll come up against a 'shoot the messenger' mentality.
Here's some quick US related info:
https://www.thefederalcriminalattorneys.com/federal-computer....
Step 3 is definitely and understandably so not a very legal thing to do, however I'm not sure about simply sending off emails? The person in question did not do anything illegal to gain access to this database in the first place, it is wide open.
They are not realistically expecting gratitude, they are simply not willing to ignore this risk to other humans.
It doesn't matter if the front door of a house is locked or not. If you go in, you're going to be charged with at least attempted burglary if no one is home, and attempted robbery if someone is home. It's still trespassing, and you'll have a very hard time convincing anyone that you were there simply to observe if you're caught.
The database being wide open has nothing to do with anything, really, except the severity of it all. If you use that information for any purpose you are probably in violation of one or more laws, depending on where you and the data are.
Fair enough. I dont think they are planning to use any information.
Whether you did or didn't do something criminal to gain access to the emails would likely be determined by the mood of the prosecutor on a particular day or, worse, by a judge or jury. Perhaps the most advisable course would be to contact your local bar association for a referral or the EFF.
They are not based in the United States, but I think you are right regardless and they will call an attorney tomorrow.
You do not need to be based in the U.S. in order to be prosecuted for a crime against the U.S.
https://en.wikipedia.org/wiki/Personal_jurisdiction_over_int...
Not being based in the US doesn't mean that you can't be criminally prosecuted in the US or, for that matter any jurisdiction that takes an interest and has a generous belief in the extra-territorial applicability of its laws.
Just document the fuck out of everything you did dude, no matter what you chose to do.
Trust me, they are.
Do NOT nuke it.
Maybe contact Have I Been Pwned?, work with them to add it to their leak database, notify site owners afterwards with a timeframe for disclosure and release your findings/blog post? Give people a way to check with HIBP, site owners a way to mitigate and claim the credit for the discovery.
This is probably the best option for anyone actually trying to fix the problem.
https://haveibeenpwned.com/FAQs#SubmitBreach
> If you've come across a data breach which you'd like to submit, get in touch with me. https://www.troyhunt.com/contact
Good luck on your OPSEC, should not have used your 7 year old account... might hit up dang to change the account so you don't get kidnapped.
Seriously, this. You just publicly stated you have access to millions.
That is not a very special occurrence. I’d argue you can find almost anyone with access to a million dollars online. Just go to Twitter or so.
Take a look at the hn reaction to your post, this is a special occurence. Regardless it's your decision and I imagine you have your reasons.
Finding such a thing might be somewhat special, but (referring to your comment) having theoretical access to money is definitely not a special thing.
Right, and Have I Been Pwned is about findings.
Yes sir, not contesting any of that, Troy Hunt may receive an anonymous email soon.
He might have tried a burner account that never got approved (so no posting showing up).
I've never been in this situation, but this seems like a good option--reach out to someone like Troy Hunt of Have I Been Pwned or a tech journalist who does security related content(maybe someone at Arstechnica?). They probably know how to raise awareness in a way that reduces their personal liability.
Be very, very careful - as ANYTHING you do might land you in hot water. Better consult a lawyer before doing anything.
Personal anecdote: some years back, I was working with a major government agency and I uncovered a huge security problem (a print queue was unprotected and any user could read the ultra-secret, world's-fate-altering documents). I promplty reported the issue and, instead of a commendation, I nearly got myself arrested.
Legal aspects and institutional rules can be complex and counter-intuitive - they can punish even the Good Samaritan!
Again: consult a lawyer before doing anything.
Recently the governor of Missouri, Parson, tried to prosecute a professor who found a huge leak of teacher data. The professor informed the state about it before writing any articles on it and made sure it had been fixed. It just embarrassed the governor, who's office was responsible for security. The governor then proceeded to embarrass himself even more by calling him a hacker (it was raw html) and threatening prosecution and ordering a two year investigation. The professor still had to hire a lawyer and deal with this for two years.
https://krebsonsecurity.com/2022/02/report-missouri-governor...
It changes nothing about your post, but I believe it was Base64 Encoded session state.
Within the raw HTML certainly, but not quite cleartext.
It’s essentially the same. If anyone even searched for that info, several search engines could decode it automatically.
If I see a base64 blob in a webpage, you can bet I'm going to decode it.
Option 4: Do absolutely nothing. Slowly step away from the vehicle. And walk away.
Option 5: Take the money and run
Seriously though, I'd just contact Brian Krebs and go from there.
Krebs is not a bad idea as he would cover not only the leak but the (allegedly) shady nature of the service. He’s read by a lot of serious people including law enforcement and national security.
Negotiate your own anonymity with him BEFORE you provide any actual info (this goes for all reporters BTW).
Another option is to drop a write-up in The NY Times or Washington Post Secure Drop TOR service. They both have serious info security reporters.
No guarantee any of these options will pick up the story, of course.
They would rather not live in the assumption that they are responsible by proxy/neglect.
"A clear conscience? When did you acquire this taste for luxuries?" - https://www.youtube.com/watch?v=jNKjShmHw7s
[You do you, but "letting people know a crypto company in Russia(?) is a bit shady" is not at the same level as walking past a person in trouble and ignoring them. The risks to your person and life of 'hacking' a multi-million dollar financial company, accross national borders, into a country in an active war and sabre rattling to the rest of the world, have got to be worth some serious consideration and not just a hurried blog post written in a couple of days].
They are, or I wouldn’t be posting here, but I sincerely thank you for your concern and advice.
Since merely knowing what the OP knows already likely implicates him in at least one felony, you (and he) might want to think about that very carefully.
It's either that or probably go to prison. I know what I'd pick :)
"The only winning move is not to play"
I've done a fair amount of similar disclosures and have had good and bad experiences.
First, consider consulting a lawyer. Then, consider sending it to a reporter who specializes in cybersecurity and who isn't shy about reporting on these issues. They have protocols for this sort of thing and will do proper disclosures beforehand. A way to think about it is that once the reporter reaches out, the company will be in panic mode and try to correct the problem ASAP before bad press gets out. They understand that because a reporter is reaching out to them that an article is in the works and their only option is damage reduction, considering the worse alternative. Reaching out on your own without protections will lead to headaches.
IANAL.
First, thank you very much for your comment, secondly, the anonymous person has forgotten to specifically highlight a certain detail
- The entity affected by this vulnerability is NOT a trustworthy company, it is not even a registered company. The service is or was operated by individuals and not under its own registered business entity.
They obviously do not wish to describe this service any further, but they want to assure you that no sane person would ever subscribe to it, yet there are thousands of paying active users.
It sucks for these people, but as you say, they did something insane with their money. I agree with everyone else here who's recommended you speak to a lawyer and then back away. It might be uncomfortable because you (or they) seem fairly conscientious, but you won't change much anyway. Some people might withdraw and then do some other very risky thing with the money. Or maybe you trigger the service immediately closing shop with no withdrawals. Moreover, organized crime is alive and well in this area. Don't assume that because this is an online scam they are not connected. From the sound of it there are millions of dollars at stake for them, and at most a nagging feeling for you saying you should have done something. Or maybe making a name for yourself. In any case it's not worth it. Calling out a random unregistered Russian crypto "business" that people already know is shady won't do anything.
One thing a lot of white hat wannabees don't seem to understand, is that for some vulnerabilities it's not worth the risk of reporting them. There was an article here a few months ago about someone who found a vulnerability with a bank, they reported it their boss, and they got fired.
To me this definately feels like it falls into that category. You said the site is really shady to begin with. You are not responsible for the people who are stupid enough to sign up in the first place, so yes, you can have a clear conscious by just ignoring it.
Lets pretend it's a less shady site and doesn't involve crypto millions, and you want to report it: I'd look to see if they have a security reporting policy. If they don't, I'd send a vague email "Hello, I think I found a security vulnerability on your site, can you put me in touch with the right person to report it to?" to their main contact address (info@, support@, whatever) and see what the response is. If you get an angry response or a lawyer or just no response, then time to forget it. If you get a developer who sounds like they understand you, then you can proceed.
From what you’re describing it sounds a bit like a crypto honeypot … there’s a lot of sites that pose as crypto exchanges but are actually scams, they deliberately expose credentials and have accounts with (fake) millions of dollars in crypto money in them.
Except, when you go to withdraw there’s usually some restriction where you can only withdraw to another site account, so you sign up and are forced to deposit some crypto to activate your new account. Then you’ve lost your money.
Astounding the lengths people will go to avoid having to provide a real good or service.
Yeah I wouldn’t believe it if I had not seen a few of these firsthand. So much wasted effort…
It is not a honeypot, it’s a service that uses these API keys.
I am aware of the withdrawal logics.
Fair enough, just thought I’d warn you just in case.
You just told the world about a compromised site that has something to do with crypto and stocks. That was your first mistake.
If you want to white hat this you should just contact the admin and mass mail everyone affected and wash your hands of it.
Nuking the site could destroy those peoples crypto forever. Don't do that.
Of course they want to white hat this.
Their cryptocurrency is not stored on this site.
You can't white hat this anymore, what is described is already pretty dark grey.
1) talk to a lawyer to make sure you’re protected 2) read up on anonymous responsible disclosure - you have to give them the chance to patch it themselves in a reasonable amount of time
> you have to give them the chance to patch it themselves
No you don't. If they're just going to bury the truth and hang their users out to dry then the responsible route is to bypass them.
Stop everything you are doing. Contact a lawyer immediately.
Do not do any of the things you are considering. People go to prison for this stuff.
4) Regret posting this publicly.
I have not committed any kind of crime. I'm just telling the story of another person.
In the US unauthorized access of a private system, particularly with financial records or other protected data, is a crime: https://www.law.cornell.edu/uscode/text/18/1030 Doesn't matter how you got access, it just matters that you did it. It is very broad and very vague, but a lot of hackers in the 90's were put in federal prison for some time under this and similar laws.
I would stop posting about this on the internet.
You probably have. You just don't know it.
Fair enough
To know what you just admitted to knowing, you did commit a crime in at least some jurisdictions (US being one). Rarely prosecuted, but still.
[https://www.law.cornell.edu/uscode/text/18/1030] 18 US Code 1030, section (a)2(a). Section (b) is something to be wary of as well.
Section (c) seems to say it’s ONLY up to 5 years in federal prison though and $1k fine.
Honestly, doubt anyone would bother if you didn’t try to profit from it, but who knows.
Edit: add link to US Code
You've seeked for a key, found it, then deliberately gave it to burglars, in which country is that not a crime?
I understand the urge to share these feelings to someone, but this is way stupid. I've flagged your post btw.
.. deliberately given it to burglars? Absolutely nil has happened besides finding this.
good luck convincing anyone that a site called 'hacker news' isn't full of burglars
as a matter of fact i'm burgling right now
Thanks for the laugh. Okay, guilty by association.
Like 2 days ago you identified yourself as being in the Netherlands. Not sure how much other private info you have leaked in your comments. I recommend deleting everything now while you hopefully still can.
This seems like bad advice at this point. I’m not a lawyer. Deleting things could be perceived as destroying evidence. Before doing anything get a lawyer involved.
First of all, I'm only telling a story of another unnamed person - besides, what exactly are you so worried about?
That someone will try to locate you and extract the information. You said that there are millions in these accounts and in some cases you can even withdraw money. That sounds like Christmas for criminals.
Do yourself a favor and never use this alias in here again. Or anywhere else for that matter. Even better delete the whole freaking post.
I don't have access to anything. Besides, I'm surprised that they would be the only person you know that has access to money.
Knowing someone who has money isn't the same as knowing someone who can provide access to thousands of active API keys to crypto exchange accounts. I'm not trying to spook you, but you don't seem to understand the severity of what you've just told to the public Internet. We're a bit paranoid in here because we've seen and heard a lot of weird shit over the years. Do yourself a favor and take this seriously, will you.
My car is unlocked in my driveway with the keys inside (it really is, I live in a safe country) In many jurisdictions you’ve done the equivalent of open the doors, sit inside, start the engine and take it for a roll around the block. Except instead of a car worth a few thousand dollars it’s a crypto exchange with possibly millions of dollars of assets.
That seems like an unfit comparison. If anything, they have found your key on the sidewalk, sat inside the car for 10 seconds, and then left again.
I think they would not care much for 1), 2) sounds good but might lead to yourself getting into legal trouble 3) sounds reasonable :)))
Is this of personal concern to you? I understand our position and responsibility in handling data and data incidents but it might be worth handing it to someone else. In Germany a goto address would be Chaos Computer Club, I believe they are happy to do responsible handling of something like this, but it might be of a non-concern to them if it's totally not connected to Germany. You might be able to find another org or approach a journalist for help.
Tread very carefully. You probably need a lawyer. Consider reporting with extremely careful anonymity to affected parties. Do not blog about it until and unless cleared to do so by a lawyer.
> Do not blog about it until and unless cleared to do so by a lawyer.
I anal but do not blog about it EVEN IF cleated to do so by a lawyer.
Get a second opinion anyways. It is you who risks prison, not the lawyer.
No blogging.
I anal too
I would scrape the data whole, then contact the site owners and send them a copy, maybe through an attorney.
Nuking the data will likely make you a fugitive of the law. I would not advise that.
United States' Department of Justice recently revised the CFAA to legally permit access of the type you engaged in (contradicting a few other comments here)
https://www.bleepingcomputer.com/news/security/us-doj-will-n...
The "right thing to do" is to contact your local CERT (don't give personal information and best use a throwaway email over TOR. Don't trust your local authorities).
https://en.wikipedia.org/wiki/Computer_emergency_response_te...
The irony is that data brokers often have this information and will sell to unscrupulous 3rd party buyers.
I'm surprised nobody has suggested contacting the FBI or other INTERPOL member force.
That's what I would do.
You can check some logins with ihavebeenpwned.com to see if the list has already been exfiltrated.
WARNING to people reading this comment: The correct URL is haveibeenpwned.com
I’ve never been in a similar position; but I’m thinking about what I’d do if I found the same.
The end goal here is to close the loop hole so those affected can be safe as soon as possible with limited risk to yourself. My first thought was to reach out to either a trusted tech journalist that would keep their sources safe (keeping you anonymous), or reach out to an organization like the EFF which has a strong history of defending peoples digital rights and interests.
I don’t know if either of these are good fits for their original purpose, but that’s where my mind went immediately. I’d think either would make good efforts to close the issue and keep you safe.
They have been considering this too, but realistically this is a little known service, there are thousands of it like it, and the affected user count is only in the thousands. I don’t know if any of these people would care in the first place. I will tell an anonymous person to try regardless.
As other's have suggested - contact Troy / haveibeenpwned - https://haveibeenpwned.com/FAQs#SubmitBreach
Contact a lawyer to make sure you don’t go to jail and if they say you’re in the clear disclose everything.
Or be the source to some journalist and get protection there? But do disclose this so that affected folks can take action.
Great job for being so conscientious about responsible disclosure.
Reading these comments, it's amazing how hard it is to be a responsible person these days.
The bad guys would have no problem selling this data to make a quick buck.
While the anonymous person understands some of the responses, and will make super sure to do absolutely nil until they have spoken to an attorney (and obviously not access anything on purpose now), they too are a little bit surprised to see some users worried they might get kidnapped and similar.
It is like they have never seen any other regular person with money before.
As suggested by others, I think haveibeenpwned is the most likely to help users as much as possible.
From a personal liability PoV reporting this to some brokerages with affected accounts is an alternative that only contacts organisations with direct legitimate interest, specific obligations and immunity from a lot of the liability an individual researcher has.
Ask the site owners to start a bug bounty program.
Lol, trust me, they will not start a bug bounty program.
A roundabout way of doing 1+2 could be to find a reputable journalist and explain the situation to them. They could publish a story (possibly requesting comment from the site owners first) on it and keep you anonymous.
This could be a way to do the right thing while lowering your risk of being charged with violating some antiquated hacking law.
But also talk to an attorney before doing that.
Steps 2 and 3 are definitely illegal.
Send an anonymous email to the site owners / contact info if you want to be a good citizen.
Then forget about this. Not your leak, not your problem. Every user in the US has had their personal info, many passwords, and their social security info leaked by now anyway. Don't get personally involved.
At this point OP has publicly stated they have potentially committed a crime and intend to commit further crimes. An overzealous LEO can easily track down OP.
The only reasonable course of action is to contact a lawyer.
Well, the justice department announced this yesterday which should allow harmless white hat behavior: https://www.justice.gov/opa/pr/department-justice-announces-...
But doing anything further is a bad idea imo.
That statement absolutely does not bless “harmless white hat behavior”. That interpretation is a step on the path to prison.
The Justice Department said they might not prosecute some crimes, depending on how they feel about you.
Nobody is innocent. You do not want the Justice Department or any LEO sniffing around your life.
The CFAA is still law and violating it is still a crime. You can still have your door kicked down and your life ruined.
Tell the person to erase all trace he/she every saw the data and to get a lawyer just in case. There's a distinct chance the person will be either blamed for the leak or even worse for hacking into the company. That's enough to completely ruin a life.
Exploit it, crypto isn't real money anyway it's just 1s and 0s
You found a dead body and started looking into its pockets... It's never a good idea. I'd step away immediately and notify the site owner. Anonymously, if possible.
Do the most ethical thing, and keep your good karma intact.
Why don't you try contacting a law enforcement agency, and let them handle it from there on?
This is terrible advice. Do not talk to the police. You have nothing to gain and everything to lose. Contact a lawyer.
https://youtu.be/d-7o9xYp7eE
What they did is a crime, going to the police to say "hello I did a crime!" is a legal darwin award.
You can contact the police anonymously, or through a lawyer.
If there is something they will not do until they have spoken to an attorney it is exactly this..
Don't do anything or they may come after you legally too.
Talk to a lawyer.
4) Do nothing
5) Sell the credentials ( less liability than 6)
6) yoink
Be a hero bro, be a hero.
Tell the owners of this?