Found a leak of US citizens personal data. Should I report it?

Maybe tell someone like Troy Hunt from haveibeenpawned. He has a pretty good reputation/following for verifying this kind of thing and telling the right people.

The fact is that you gained unauthorized access to personal information, which might be a criminal offence in your jurisdiction despite your honorable intentions. My advice is to let it go and not implicate yourself any further.

Relevant personal anecdote from the EU: one time I was checking the API of a service I wanted to use and managed to obtain full access to the database which among bunch of PII also contained plaintext passwords. Being a good citizen, I decided to report the problem to national CERT instead of the company, because I had prior experience with such reports where the company reacted with a lawsuit threat. The response from CERT was "While your intents are noble, you just admitted to gaining unauthorized access and we will forward this information to the company if they decide to take legal action".

This was 2 years ago, luckily the company did not press charges, the data in question is still wide open for hacking and I could not care less anymore. Learned my lesson that there is no room for good Samaritans in web security.

You can report it to CISA/USCERT. They will take care of the notification to the end company and protect your identity: https://www.cisa.gov/report

I'd question whether the potential blowback of doing the right thing is actually worth it.

Some organisations will be grateful for your help and you get that warm feeling that comes with knowing you've helped to protect peoples data. But, when it goes wrong and you become the target of the organisation's ire, the personal consequences can be severe.

Example: https://news.ycombinator.com/item?id=29745960

I would try reporting it to the company, maybe also the FBI or FTC, or if you aren't too comfortable contacting them, you can try also contacting someone like Brian Krebs who presumably knows who to contact about data leaks of this nature. (Krebs' contact form: https://krebsonsecurity.com/about/ )

The replies to this post are almost universally depressing. Really? Reporting to the company is so obviously bad for the reporter in the USA? There is no protection from malicious prosecution just for 'reporting' a data breach. That's crazy.

Do nothing. If you or someone contacts law enforcement, you will be hounded for the rest of your life if you are lucky, if unlucky you will go to prison. You seem like a morally upright person, so selling or leaking the data is also not an option. You are not responsible for the incentives created by the justice system, and inaction in the face of justice system incentives is not morally wrong.

Do not under any circumstances report the leak with your actual identity. If you want to do so anonymously, go for it.

However that said, there is no upside in you reporting the leak, only downside potential.

Yes it's the ethical thing to report it. Do you know how many people get harassed by stalkers every year in the US? I wouldn't put your name on the report though, just report anonymously.

These comments are doom and gloom from people who have read articles but haven't been there. I've reported over a dozen medium size leaks and not once has the company tried to come after me. They haven't all fixed them, and for those I haven't pushed, but most of the time they're grateful. If you're worried, contact Troy Hunt and have him be an intermediary for you, as others have suggested.

If it were me I'd honestly do nothing. History has shown it's equally likely to be a lose-lose scenario. Let it remain as-is.

If it's related to protecting children or a vulnerable group, maybe report it. Otherwise, whatever.

Either way, don't do it in a way that they know it was you who found it.

Ask if they have a bug bounty program first. From ProtonMail.

Several commenters suggest to do nothing to stay out of trouble. What if the system is compromised by someone else, possibly with bad intentions, tomorrow? You might already have left traces. If an investigation is conducted it could lead back to you. Not reporting it could get you in a lot more trouble. Read up on the topic of Responsible Disclosure. Or consider reporting it through a lawyer and journalist, as others have suggested

Nothing. Burn all the evidence (literally or figuratively as appropriate, use common sense) and walk away. If you're expecting gratitude, if you expect the company to say "my goodness, thank you for finding our security hole", you are setting yourself up for bitter disappointment. Better if you were never here and knew nothing.

Maybe frame it as a regular bug in a legitimate use context? Lead them to their own discovery of the vulnerability, and they'll think they found it all on their own.

"Oh I used your sample API call but I keep getting out of memory errors."

You should yes, but world is full of "shoulds" that aren't followed, often for entirely valid reasons. If the organization doesn't have a public bug bounty program, then I wouldn't report it to them - find an intermediary to whom you can anonymously dump the information to. Even something as trivial "view source" is liable to get you investigated for 'hacking', which is a hassle you just shouldn't have to deal with - here's the story of a journalist in Missouri who had that happen to them.

https://www.vice.com/en/article/pkpmj7/this-is-the-hacking-i...

Whatever you do, go to a lawyer first.

I'm asking myself if you have freedom anymore in US/Canada if many here suggest to not reporting data leak because of consequences that it could have. It sounds like dissident behaviour from China.

> Security research is my hobby.

Yet you are not prepared for an important consequence of the results of your research.

Perhaps you should consider changing hobbies.

Look for a www.domain-of-the-company.com/security.txt file. That's where you might find a responsible disclosure contact if the company has one (high chance they don't)

If you want to do the right thing and help fix it use a burner phone to send proof and let someone else break the news who actually has something to gain from it. Like a news agency local to the company perhaps. You have nothing to gain and a lot to lose.

EFF perhaps. They have lawyers.