72

Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report this to. It just has a support email. I feel uncomfortable sending the link to the support email.

Should I ask for an Information Security email contact from that company or what should I do? By the way, the support email for the company is more of a fraud or customer support email not a technical support or security.

Also, what would be a good template to follow to give the best insight of the leaked database?

For clarification I did not penetration test any website that owns or distributes or has any relation with the company that seems to be likely to be possible originators of the database. I however found the database while using my internet searching abilities. I did not use any special tool or calculated methods. I am not a magician that knows where all databases or leaks are. I do stumble across content that is floating on the internet on places where they should not be.

The way I found the database was in a legal manner and not in an illegal fashion.

Arkest Must
  • 817
  • 1
  • 4
  • 9
  • 38
    **Tread carefully!** A recent article for your consideration. https://arktimes.com/arkansas-blog/2020/05/18/governor-shooting-the-messenger-wrong-tact-in-arkansas-pua-data-breach-experts-say . – user10216038 May 26 '20 at 21:11
  • 47
    @user10216038 so that people don't have to parse the long article: some orgs get so freaked out when notified of breaches that they lash out at the person who informed them as being the cause of the breach. A.K.A. "shooting the messenger". In the case that the article is about, there was a flaw found on the site ***by a user*** and so the user was put under suspicion for violating proper use and violating cyber laws. – schroeder May 27 '20 at 10:01
  • 2
    This one also comes to mind https://www.wired.com/2013/03/att-hacker-gets-3-years/ – Dean MacGregor May 27 '20 at 15:38
  • 3
    @DeanMacGregor That is very much a different situation though. In just about every way. While I'm squarely of the opinion that the correct prosecution would have been of Apple and not Weev, he certainly did himself no favors in what he actually did, or in how he behaved afterwards. At the very least claiming the way he/they revealed the flaw was responsible disclosure is debatable at best. – DRF May 27 '20 at 18:10
  • 3
    Me too in my own country https://www.numerama.com/magazine/28295-bluetouff-condamne-en-appel-pour-avoir-su-utiliser-google.html. in my country you would contact authorities about a violation of privacy laws (failure to protect data) instead. – user2284570 May 28 '20 at 10:06
  • 2
    Seems like it's not worth the hassle. I would just move on. – nullability May 28 '20 at 20:09
  • @DmitryGrigoryev no it does not answer my question. As I did not find the database through a vulnerability. I do kindly say you are a good person for suggesting and recommending me to look at the question and answer of the link you sent. – Arkest Must May 30 '20 at 12:23

7 Answers7

96

Don't give security info to non-security people. Use whatever contact method is available to ask for the right security person. Don't give details about what you found until you get someone who will understand it.

Then provide the details about what you found. Don't ask for reward or demand any kind of action or else you are very likely not to be taken seriously. Just provide help and leave it up to them to deal with.

I'm not sure what kind of template you need. Give them the info/steps they need in order to locate the information you found. If you sound too "scripted" you might sound like a scammer. Be human. Be helpful.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 20
    As to finding who to contact, you could see if they've adopted [the security.text standard](https://securitytxt.org/) by tagging `/.well-known/security.txt` onto the end of their website URL and seeing whether there's a file there. – anaximander May 27 '20 at 07:32
  • 11
    @anaximander seems like not even SE follows that standard – lucidbrot May 27 '20 at 10:16
  • 33
    @lucidbrot probably because it's not a standard. There's a [draft RFC](https://tools.ietf.org/html/draft-foudil-securitytxt-09) which was submitted three months ago. It's a proposed standard that hardly anyone's ever heard of. Nice idea though. – Aaron F May 27 '20 at 11:15
  • 11
    @anaximander From your "standard": 'It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 28, 2020.' – Nobody May 27 '20 at 14:41
  • 5
    @Nobody I'm aware, it's still a *proposed* standard (probably should have clarified that) but there are a fair number of sites I know of who are adopting it. A lot of things in this space get adopted before they're totally official. – anaximander May 27 '20 at 14:44
  • 3
    @AaronF `/.well-known/security.txt` was first suggested in [version 01 of that Internet-Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-01) back in December 2017. It is used by, for example, [the BBC](https://bbc.co.uk/.well-known/security.txt) (although I agree it is little used, which is a shame). – user7761803 May 28 '20 at 16:31
38

One option if you're not having luck finding contact details is to contact the CERT (Computer/Cyber Emergency Response Team) in your's or the entity's country List of global CERTs. These organisations generally have methods of contacting the appropriate people (within the affected entity and national authorities).

In Australia at least, contact from AusCERT and ACSC (Australian Cyber Security Centre) is likely to be taken more seriously than contact from a random and unknown person. An article by Troy Hunt about his experiences handling the Red Cross Australia database leak with AusCERT gives his views on AusCERT's performance. I recommend reading the full article, but skip down to "AusCERT and Red Cross' handling of the incident" for Troy's summary.

Aaron
  • 559
  • 3
  • 4
  • 2
    If the company does not list a security contact anywhere visible it's safe to bet they do not treat security as important. IMHO the most sensible thing to do is to contact a CERT as mentioned above and let them deal with the matter as they please. – TermoTux Jun 10 '20 at 20:17
12

Initial premise: Finding was obtained lawfully

You need to dig up who is their security contact, who in the org should be contacted around disclosure of security faults. How that is (or isn't) organised is entirely up to the org. It's also entirely up to them to ignore or misunderstand you so please bear that in mind and set your expectations.

Finding a contact inside the org (anyone) to talk to directly or asking on a public channel are sometimes useful ways to get to the right people eventually.

Be mindful of what you are reporting and how you communicate the finding. You are offering help, which they can refuse or ignore. Make contact, establish a dialog, offer recommendations if you can, try to gauge the technical level of the contacts and their interest in learning and fixing the issue.

Pedro
  • 3,911
  • 11
  • 25
  • 9
    Sometimes, you might have luck looking up the company on Linkedin and trying to find someone with a relevant job title. GDPR means many more companies now have people/managers dedicated to data protection and security. – bta May 26 '20 at 19:02
  • 7
    All companies subject to GDPR who process personal data now need a Data Protection Officer (DPO). This might be a good person to speak with. – David May 26 '20 at 23:16
  • 1
    @David yes they must and they should but they don't always do. – Pedro May 27 '20 at 11:17
  • 1
    @Pedro: Worst-case, the OP now has *two* issues they can talk to the company about. Leaking data, and not having a person handling that leak. – Jörg W Mittag May 28 '20 at 07:58
  • 1
    Yes, they would. I am a but cynical because I see this happening frequently. Most orgs still don't understand disclosure, aren't ready and often don't use the information provided in the way that benefits them the most. – Pedro May 28 '20 at 08:21
5

How much effort do you want to make and why do you want to make it?

low-effort, "I don't care about them, I just want to be a good person" answer: Get yourself a throw-away e-mail. Send them a message to the support address, starting with "please forward to CISO or other person responsible for information security" and let them know where you found what, that you expect no answer or compensation, have a nice day, bye bye.

If you care about it for whatever reason, contact them by phone and get connected to the security person in charge. There's a skill in getting past first level people and they might brush you off, just try again - you're likely in a callcenter and will get a different person the second time around. The message given in person should be the same: What you found, where you found it (don't send them the DB directly, point them to where they can find it themselves!), that you don't expect any compensation, have a nice day.

It is very important that you point out very clearly that you're not blackmailing them. The message "I have some of your secret data" is very easily considered a threat.

High-effort solution: The CISO for this company could be on LinkedIn or another professional network. Try to find him there and contact directly. If not, write a physical letter to them, addressed to the CISO and/or the CEO (name of CEO should be easy to find in a company directory). Physical letters are still taken much more seriously than e-mails, and the address info is generally respected, i.e. if addressed by name to the CEO, it will be opened by his secretary, not by some call center agent.

Tom
  • 10,124
  • 18
  • 51
  • 4
    Why a throw-away email? No, you don't send sensitive security info to a customer support line. That makes things worse. "I don't care, I just want to be a good person". In the example you provided, you aren't being a good person. You might ***feel*** like a good person, but you've done more harm than good. Contacting by phone is not realistic. I would never take a call from a random stranger. Email me first with details for me to verify. This answer offers bad advice and is simply unrealistic. Just do what I said above and ask for the right contact... – schroeder May 27 '20 at 09:45
  • 4
    Letters to the CEO that contain highly technical info are more likely to be binned, not taken seriously. – schroeder May 27 '20 at 09:47
5

Consider handing the info to an impartial, well-known clearing house like Troy Hunt.

https://www.troyhunt.com/ and https://haveibeenpwned.com/

That way you can stay completely anonymous.

Criggie
  • 508
  • 3
  • 12
  • 9
    I'd tread very carefully there. Even if you have obtained the leaked information legally, sharing it with others that are not supposed to have access may very well be illegal. Especially since it's not obvious to the company that owns the information that it's been leaked. – Erik A May 28 '20 at 07:57
  • 2
    That would probably be illegal where I reside. Thank you for the suggestion though. – Arkest Must Jun 25 '20 at 18:52
3

I hesitated before posting this answer since it's only helpful for web applications, but I believe it belongs here.

There are some efforts that try to standardize the way security issues should be reported, and a database leak is one of those. The proposal is called security.txt, and as far as I know, the paper is still a draft.

security.txt (put simply)

For a company

It consists of having a text file named "security.txt" on the root of the company's website, for example: example.com/security.txt, it could also be placed in the .well-known folder: example.com/.well-known/security.txt. The idea is to put all the necessary information about how to report a security issue is this file.

For a security researcher

If this proposal gets wide adoption, reporting a security issue would be pretty standard (I personally believe it could even be automated). When a an app (say a website) is found to be vulnerable, looking up for this file would give you all the necessary information about how to report it the right way.

More about security.txt

Community
  • 1
Anis LOUNIS aka AnixPasBesoin
  • 133
  • 6
2

One more option in case the relevant jurisdiction does not have a CERT organization (though chances are high that if you're reading this post, you live in a country with one or the other company is based in such a country) and you can't find any other way to contact a relevant person at the company, but one you need to be more careful with, is contacting a competent neutral journalist specialized in information security. Most companies are understandably reluctant to listen to a random nobody who contacts them out of the blue with a message stating they've found a leaked database hanging around. However, a journalist is different from a random nobody in meaningful ways:

  1. They have a much more public online footprint that can easily be found and show that they know what they're talking about;
  2. They have a reputation to protect, both of themselves and of their employer, and as such give a better impression that it's serious and they're not doing this for quick wins;
  3. They're more likely to get an effective response because a company is heavily discouraged from ignoring journalists reporting breaches. One of the worst PR nightmares a company can have is an article in a newspaper describing a company database being hacked and PII being publicly available to anyone, with one of the paragraphs detailing how the company was contacted multiple times with no response.

Note: you definitely will want a competent reporter who is affiliated with a well-known publication. You really shouldn't choose a sensationalist tabloid or a website/TV station with a heavy political bias. I don't mean by this that you should immediately go to a site like The Verge or The Register, though. Especially with smaller companies that are heavily focused in a small number of cities or a small region, it might be more prudent to go with a town newspaper or a local radio station, because there is a greater chance of familiarity with the reporters and publication involved.

One final remark is that this route nearly always ends in the leak becoming EXTREMELY public. Because of that this should only be used as a last resort in case everything else ends in a dead end. You need to be absolutely sure that this result is what you want and that it's a better outcome than keeping it quiet. There are definitely some companies out there where an article like this can have extremely far reaching complications in all levels of society, even to the point where it can ruin friendships, end marriages and cost lives.

Nzall
  • 7,313
  • 6
  • 29
  • 45