Long story: So i was hanging out on this perfectly legit forum when a sketchy person started to ask if we could provide them 1TB storage that they could pay for but would rather go with a friendly transaction rather than through a business. Sounds nice so far, maybe a fellow FLOSS hacker has too much stuff to backup?
They claimed it was 1TB of logs which raised our suspicions but they said it was all legit and we could look through it they wouldn't mind. So we got a 2MB sample zip but inside were stolen credentials from a third person, as well as - you guessed it - malware named "Passwords.txt.lnk". It looks like the credentials were compiled by a malware called Redline.
So now i have tons of passwords for this poor 3rd party but no way to contact them to let them know they've been pwned. Any ideas? I thought about contacting gmail & others so they can probably SMS this person, but for most of those accounts i could not find contact info for the sysadmins or security team.
Going to the police is probably not gonna help and might get me and other friendly people in trouble for accessing this data in the first place so i'm not going for that. To be clear, i haven't tested any of these credentials but i'm assuming they're real since the usernames/passwords have some resemblance yet subtle variations.
What would you do?
https://us-cert.cisa.gov/forms/report
You might want to reach out to the EFF (info@eff.org), or researchers such as Brian Krebs (contact form at https://krebsonsecurity.com/about/) or Troy Hunt (HaveIBeenPwnd, contact page including email: https://www.troyhunt.com/contact/).
It might also be wise to get personal and/or legal counsel to cover procedures and speak for you, which they can do without necessarily incriminating you.
Phil Venables is CISO Google Cloud:
How would you inform the user in a useful way?
Directly.. no.. wouldn't work
Indirectly.. Log in to every account through tor. The user will get security notifications from many services which will trigger them to change their passwords