I found a pretty extreme data leak and I'm not sure what to do

> Now, I'm obviously documenting this insanity to write a blog post over the next couple of days,

Many countries have hacking laws that are exceptionally broad, written in the 1980s by legislators who had never even touched a computer. A law might, for example, ban "gaining unauthorized access to a computer system"

This means that if you accidentally find what looks like a security problem, and you look around a bit to make sure you're not raising a false alarm - you're already in violation of the law.

If your country has any such laws, to claim credit for your discovery would be to admit to a crime.

And while you might not have done anything you think of as hacking, put yourself in the mindset of the site operator. They might feel as if you've put a gun to their heads, or that scaring you into shutting up and deleting any data you've downloaded is them protecting their customers - they might go to the cops and give the cops a very different perspective.

If you want to alert the world to this breach, may I suggest downloading the breached data anonymously and e-mailing it anonymously to Troy Hunt of Have I Been Pwned?

Re: steps 2 and 3, they could (and I would emphasize that I'm not a domain specialist) be perceived as being criminal in nature - obviously depending on the jurisdiction(s) involved. With respect to IT, history has shown that the road to a prison cell is paved with good intentions. You might be expecting gratitude but there's a good chance you'll come up against a 'shoot the messenger' mentality.

Here's some quick US related info:

https://www.thefederalcriminalattorneys.com/federal-computer....

Maybe contact Have I Been Pwned?, work with them to add it to their leak database, notify site owners afterwards with a timeframe for disclosure and release your findings/blog post? Give people a way to check with HIBP, site owners a way to mitigate and claim the credit for the discovery.

Be very, very careful - as ANYTHING you do might land you in hot water. Better consult a lawyer before doing anything.

Personal anecdote: some years back, I was working with a major government agency and I uncovered a huge security problem (a print queue was unprotected and any user could read the ultra-secret, world's-fate-altering documents). I promplty reported the issue and, instead of a commendation, I nearly got myself arrested.

Legal aspects and institutional rules can be complex and counter-intuitive - they can punish even the Good Samaritan!

Again: consult a lawyer before doing anything.

Option 4: Do absolutely nothing. Slowly step away from the vehicle. And walk away.

I've done a fair amount of similar disclosures and have had good and bad experiences.

First, consider consulting a lawyer. Then, consider sending it to a reporter who specializes in cybersecurity and who isn't shy about reporting on these issues. They have protocols for this sort of thing and will do proper disclosures beforehand. A way to think about it is that once the reporter reaches out, the company will be in panic mode and try to correct the problem ASAP before bad press gets out. They understand that because a reporter is reaching out to them that an article is in the works and their only option is damage reduction, considering the worse alternative. Reaching out on your own without protections will lead to headaches.

IANAL.

One thing a lot of white hat wannabees don't seem to understand, is that for some vulnerabilities it's not worth the risk of reporting them. There was an article here a few months ago about someone who found a vulnerability with a bank, they reported it their boss, and they got fired.

To me this definately feels like it falls into that category. You said the site is really shady to begin with. You are not responsible for the people who are stupid enough to sign up in the first place, so yes, you can have a clear conscious by just ignoring it.

Lets pretend it's a less shady site and doesn't involve crypto millions, and you want to report it: I'd look to see if they have a security reporting policy. If they don't, I'd send a vague email "Hello, I think I found a security vulnerability on your site, can you put me in touch with the right person to report it to?" to their main contact address (info@, support@, whatever) and see what the response is. If you get an angry response or a lawyer or just no response, then time to forget it. If you get a developer who sounds like they understand you, then you can proceed.

From what you’re describing it sounds a bit like a crypto honeypot … there’s a lot of sites that pose as crypto exchanges but are actually scams, they deliberately expose credentials and have accounts with (fake) millions of dollars in crypto money in them.

Except, when you go to withdraw there’s usually some restriction where you can only withdraw to another site account, so you sign up and are forced to deposit some crypto to activate your new account. Then you’ve lost your money.

You just told the world about a compromised site that has something to do with crypto and stocks. That was your first mistake.

If you want to white hat this you should just contact the admin and mass mail everyone affected and wash your hands of it.

Nuking the site could destroy those peoples crypto forever. Don't do that.

1) talk to a lawyer to make sure you’re protected 2) read up on anonymous responsible disclosure - you have to give them the chance to patch it themselves in a reasonable amount of time

Stop everything you are doing. Contact a lawyer immediately.

Do not do any of the things you are considering. People go to prison for this stuff.

4) Regret posting this publicly.

I think they would not care much for 1), 2) sounds good but might lead to yourself getting into legal trouble 3) sounds reasonable :)))

Is this of personal concern to you? I understand our position and responsibility in handling data and data incidents but it might be worth handing it to someone else. In Germany a goto address would be Chaos Computer Club, I believe they are happy to do responsible handling of something like this, but it might be of a non-concern to them if it's totally not connected to Germany. You might be able to find another org or approach a journalist for help.

Tread very carefully. You probably need a lawyer. Consider reporting with extremely careful anonymity to affected parties. Do not blog about it until and unless cleared to do so by a lawyer.

I would scrape the data whole, then contact the site owners and send them a copy, maybe through an attorney.

Nuking the data will likely make you a fugitive of the law. I would not advise that.

United States' Department of Justice recently revised the CFAA to legally permit access of the type you engaged in (contradicting a few other comments here)

https://www.bleepingcomputer.com/news/security/us-doj-will-n...

The "right thing to do" is to contact your local CERT (don't give personal information and best use a throwaway email over TOR. Don't trust your local authorities).

https://en.wikipedia.org/wiki/Computer_emergency_response_te...

The irony is that data brokers often have this information and will sell to unscrupulous 3rd party buyers.

I'm surprised nobody has suggested contacting the FBI or other INTERPOL member force.

That's what I would do.

You can check some logins with ihavebeenpwned.com to see if the list has already been exfiltrated.

I’ve never been in a similar position; but I’m thinking about what I’d do if I found the same.

The end goal here is to close the loop hole so those affected can be safe as soon as possible with limited risk to yourself. My first thought was to reach out to either a trusted tech journalist that would keep their sources safe (keeping you anonymous), or reach out to an organization like the EFF which has a strong history of defending peoples digital rights and interests.

I don’t know if either of these are good fits for their original purpose, but that’s where my mind went immediately. I’d think either would make good efforts to close the issue and keep you safe.

As other's have suggested - contact Troy / haveibeenpwned - https://haveibeenpwned.com/FAQs#SubmitBreach

Contact a lawyer to make sure you don’t go to jail and if they say you’re in the clear disclose everything.

Or be the source to some journalist and get protection there? But do disclose this so that affected folks can take action.

Great job for being so conscientious about responsible disclosure.

Reading these comments, it's amazing how hard it is to be a responsible person these days.

The bad guys would have no problem selling this data to make a quick buck.

As suggested by others, I think haveibeenpwned is the most likely to help users as much as possible.

From a personal liability PoV reporting this to some brokerages with affected accounts is an alternative that only contacts organisations with direct legitimate interest, specific obligations and immunity from a lot of the liability an individual researcher has.

Ask the site owners to start a bug bounty program.

A roundabout way of doing 1+2 could be to find a reputable journalist and explain the situation to them. They could publish a story (possibly requesting comment from the site owners first) on it and keep you anonymous.

This could be a way to do the right thing while lowering your risk of being charged with violating some antiquated hacking law.

But also talk to an attorney before doing that.

Steps 2 and 3 are definitely illegal.

Send an anonymous email to the site owners / contact info if you want to be a good citizen.

Then forget about this. Not your leak, not your problem. Every user in the US has had their personal info, many passwords, and their social security info leaked by now anyway. Don't get personally involved.

Tell the person to erase all trace he/she every saw the data and to get a lawyer just in case. There's a distinct chance the person will be either blamed for the leak or even worse for hacking into the company. That's enough to completely ruin a life.

Exploit it, crypto isn't real money anyway it's just 1s and 0s

You found a dead body and started looking into its pockets... It's never a good idea. I'd step away immediately and notify the site owner. Anonymously, if possible.

Do the most ethical thing, and keep your good karma intact.

Why don't you try contacting a law enforcement agency, and let them handle it from there on?

Don't do anything or they may come after you legally too.

Talk to a lawyer.

4) Do nothing

5) Sell the credentials ( less liability than 6)

6) yoink

Be a hero bro, be a hero.

Tell the owners of this?