Data being leaked includes email addresses, geolocations, private photo (read: nudes) URLs, bcrypted (thankfully at least) passwords and salts, password reset / account activation codes, user agents, IP, fingerprint hashes, staff notes about the accounts and even reports (including reason, text submitted by the reporter, and the reporter itself).
I've tried multiple ways of contacting the company, as the data could seriously harm users and lead to them being stalked/blackmailed but they have given no response whatsoever. Tried to mention/message them on social media, did an email blast with guesses at their CEOs email (didn't bounce back like security@ did), and as a last resort their CS line. Even their CS simply closed the ticket without even a response, so I'm at a loss on how to proceed.
I've considered going to someone like Krebs, but I'm extremely hesitant to simply because of what could happen if this gets out without being patched.
This sounds like a good idea, honestly. Companies' reactions to vulnerability disclosures can be... unpredictable. If security research is not your area, it might be easier to get someone from that industry to handle the disclosure.
> but I'm extremely hesitant to simply because of what could happen if this gets out without being patched.
If you found this vulnerability, odds are someone else will run into it too sooner or later.
I'm completely serious.
At one point I got mad I couldn't even get an interview at a decent internship despite being an ok-ish hacker, so I wrote up a description of how at the time you could go into about:config in Firefox and just write whatever latitude and longitude you want, and spoofed my location as in the middle of the 2009 green revolution protests in Iran.
Someone kind of chewed me out later, pointed out we don't have diplomatic relations with Iran, I hadn't gotten permission from Zuck or whatever and I kind of shrugged.
(You'd be surprised how much can be accomplished if you start repeating things from classes where the professors read directly from the powerpoint like "I'm just a rational actor responding to incentives" as you reach into your cargo pants and maintain a creepily intense level of eye contact when folks are dumb enough to bring up the internet in real life.)
They are the largest German computer magazine, and have a great track record in getting companies to change bad practices and respecting consumer rights. I also consider them trustworthy w.r.t. not inadvertently leaking the problem.
They have a secure contact form under https://www.heise.de/investigativ/
There aren't laws mandating "responsible disclosure". It's a professional courtesy.
The irresponsible party is the entity operating the service without a security@ email address. Lots of bad actors could easily find this vulnerability independently (probably already have). This means all the service's users are continually at risk right now, every second of every day as long as this doesn't get resolved
2. Apply for and interview for a job opening and bring this up.
3. Look up their corporate records and see if there is an attorney on record that helped them file. Report to them.