DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email: "We will further investigate this matter internally and do not wish to entertain this matter with your website."
He really missed all the lessons in both manners, common sense and media training.
The tone of the article is unprofessional to say the least. You could remove the argumentative tone, vitriol, and insults and have a more impactful article that reflected well on the author while appropriately warning people against this company. Please, don't choose team troll.
Personally, I find the tone of the article appropriate for the response received. The first email clearly set the tone as cordial and friendly while still being urgent. The response was in a clearly adversarial tone. So the prompter adjusted their tone accordingly.
It wasn't necessary to match tones with the person whom wanted to be uncharitable, but it definitely feels more human to me, which is who the writing is for: humans. I would have been fine with an info dump, but I enjoy turnabout as much as any other fan of fair play.
The author is not acting in a professional role here.
He, in his own time, discovered a pretty serious exposure of information and politely informed them. They decided to not be polite in return. He responded in the same tone as them.
There was never any professional obligation, nor any obligation for the author to inform them of their breach at all, nor was there any obligation to give them time to notify clients before publication. Those are all courtesies.
This man didn't choose team troll, he responded to team troll in kind.
To double down here, the author did the correct thing by using their snarkiness.
If someone who in theory is a professional (the company that left all of this in the open) responds in an unprofessional way from the start - you are done using professional tone. That tool isn't producing results. Stop using that tool.
The goal is not to model perfect manners - it is to bring attention to a breach so it can be remedied. The author understands this and has acted so to achieve this result.
I was also ready to chalk this up to "Yet another security researcher needs to learn how to play well with others..." but the moronic and indigent response from "Sean" makes it clear who's wrong here.
Imagine an alternate universe where "Sean" wasn't so aggressively stupid, and instead replied: "Thanks, JayeLTee, we took the database down while we do an audit. We don't think there were any access, and we would rather you not go public about the findings, but it will take us time to check. Please hold off on your publication until [DATE] and we will be in touch."
There. That didn't take much effort! But, no, "Sean" chose belligerence and threats rather than professionalism. I don't know what is wrong with people who just seem to default to "bad attitude" in their communications.
The company did reach out and said something similar, I held my publication for months months waiting for a reply which they said they would send and ended up finding out their were filing breach notifications to multiple states and never said anything back to me.
Not a journalist or a reporter, posts aren't meant to be professional. The only reason I even write any of my posts is because companies DO NOT disclose incidents at all, so I have to do it for them.
I thoroughly enjoyed the post and thought your tone was appropriate, entertaining, and kind of kethartic. You didn't call them names, engage in ad hominem, or do anything click-batey. You were understandably irritated at how they talked to you and how they were clearly trying to hide a massive exposure from their users. And then you shredded them with data.
A+ - And thanks for trying to keep folks like this honest!
The author is more professional than the sean was, and conveys the correct amount of disgust we should all hold for this company and it's leadership.
The point of the essay was to be disrespectful of the CEO. Slightly less disrespectful than the CEO was, so IMO he still holds onto the high ground of ethics.
Please do choose team troll. The correct response to someone being a shitter, is not always to kill them with kindness. A lot of the time it is, but this time, I'm clearly on the authors side. He tried twice to be kind, was ignored and then insulted. When really he was owed a thank you, not to be disrespected.
The tone doesn't have to be professional. Not everybody owes you professional courtesy, especially when you're giving away personal information on your customers.
To be fair, security through denial, lies and intimidation is the industry standard.
Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.
Technically speaking if there's nothing to break, it is unbreakable right? Also if you change the law about some crime, you don't have a crime anymore...
It requires programming in a language specific to one little known db product, in an extremely brittle and spaghettified code base . There's exactly one person in the company who kinda knows how to do it, and they're unavailable for the foreseeable future on higher priorities. We don't have the money to throw at new hires or huge porting projects.
Imagine software that has been in production since the 80's, was written by a very inexperienced dev and has since been continually "organically" upgraded to handle any new promise that a nontechnical product manager feels is necessary to solve the immediate problem of an angry customer. It's a Janga tower with a reset button.
If you know the secret to getting a company to prioritize potential security problems that haven't yet emerged in forty years over meeting payroll, please share.
My paycheck depends on reconciling myself to it. Should I quit possibly my last job before retirement in a bleak job market to protest my manager's decision to protect her job and mine by putting revenue before protecting jane@doe.com's login from being stolen for the Nth time? Am I the bad guy?
It's not my place to define your ethics for you. I'm pointing out so any other readers can be innoculated from accidentally stumbling into this ethical minefield.
I'm not telling you stealing bread so your family doesn't starve is unethical, I'm pointing out it's stealing.
No idea if you're the bad guy, but you're not the ~~good guy~~ hero, no.
I'm a participant in sub-criminal negligence rather than stealing. I'd call that a lesser offense. And it's a failure I have mitigated by working to protect the data. I can't claim innocence, but I sleep OK.
It's also not about bread, because that was just an analogy.
I would sleep ok too, until something bad happened and people I had a responsibility to protect got hurt. Then I wouldn't sleep so well... Turns out humans are really bad at risk calculations.
Possibly, but that's a very different scenario to a database of cleartext passwords (which is what I assumed was meant), as each device would have to be identified and compromised to access a password to a device which at that point is already compromised...
Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
I'm wondering how it's possible that step 6 happened, not what the motivations are. It's written in multiple places as if database queries were issued after the database was taken down.
To which the CEO was rude and dismissive and threatening. Which is often a sign of having something to hide. I assume the author decided to then verify if the threats were made from a position of strength or weakness.
I read his email as a polite gesture, giving them a chance to request more time. I'm still confused as to what parts you're missing. Are you trying to imply something, or do you really not understand that people can lie and withhold information?
> The email was read by someone, I assume the CEO, and less than an hour after it was sent, I could not connect to the exposed server anymore.
This was after the author’s first email, and before the CEOs reply.
What tptacek was getting at is that the article is a bit unclear on when the review of DB contents occurred, since the author no longer had access. (But I think it’s just because the author reviewed the contents already before they reported the issue.)
I think the data he discloses in the post is the one that he got before getting in contact with the company. He does this in order to prove that the database was accesible to anyone on the internet, instead of the "no breach at all" claimed on the response email.
He writes as if he has access to large quantities of data after the CEO responded to him, which implies that it was after the exposed database was fixed, as the author acknowledges in the email he sent to the CEO.
No I did not query the database after it was exposed.
The information I had was from when the database was publicly exposed.
I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.
I would of probably skipped over this, but after their response I wondered if there was more to it.
The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).
I can see how the CEO would consider the initial email to be a scam, sales pitch, or blackmail (still not entirely sure it doesn't qualify as the last two). I'm sure there have been plenty of emails that qualify as such disclaiming themselves so. Of course, I wouldn't have responded how he did; he needed to tread carefully here when he followed up to learn there was an actual breach, but I totally get why he responded that way. Maybe in the future when making initial contact, instead of telling them only that you aren't scamming them or selling something, tell them what you DO want, or at least tell them you will follow up, just let them know how this goes. That would probably make the medicine go down a bit easier when you follow up later.
Ultimately, when you did air out their laundry after they responded poorly, it did kind of feel like you were blackmailing them.
I told him everything he needed to know to fix the exposure on my initial contact on the exact same email I tell him I'm not asking for anything. I even told him some information about the exposed tables.
Backed by the fact that 1 hour after my email, the exposure was closed and the company never replied back to me, it was only after I followed up they emailed all those claims.
Again, I never asked for anything, I even offered to delay my publication so they could notify people if that was their intent, where is the blackmail here?
Like I said in another comment, I _still_ don't know what you want from them. If you don't want money and it's not a scam, why are you emailing them? That's what I'm saying, the email feels sketchy, I would NOT be happy to receive such an email. And though perhaps legal (though actually accessing the exposed data was perhaps not legal), publicly humiliating them after the fact when they behave in a way you don't like (sketchy behavior) indicates to me you had sketchy intentions to begin with.
>If you don't want money and it's not a scam, why are you emailing them?
It may be shocking to you, but some security researchers notify companies when they are exposing data of their customers. That's it! Simple.
When I notice that thousands of people's personal information is available, I also will email the company and let them know that they are exposing the information of their customers. I don't want money in return. My hobby is security, my payment is knowing that I helped thousands of people out.
>I would NOT be happy to receive such an email.
You would rather just continue to expose your customer's information? Interesting... I don't think you have the ethical high ground here, if that is your position.
While it's hard to convey "this is 100% not a scam" without sounding suspicious, in the example of this article they tried to get it across at the very start. It's on the CEO for becoming hostile to someone who asked for nothing in return and wasn't making any threat.
> First of all, please do not ignore this email, this is not a scam attempt nor am I trying to sell anything, I am just alerting and looking for help closing down a security issue […]
I can't tell if people are being deliberately dense as a way of punishing me for having a critical opinion, not reading the rest of the comments before responding to me, or genuinely do not understand what I am getting at.
A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you. Humans famously have the capability of lying. Someone telling me they are _not_ selling something or scamming me doesn't actually tell me what they want, and it does not provide me with enough information to know that they are not, in fact, scamming me. It just lets me know they don't want me to think I am being scammed.
I hope you are not in a client-facing role, as you appear to lack the ability to understand another's perspective. Security researchers rely on publications and recognition from security platforms to build their CVs. That's what he wanted. Think about it that way if everyone was a n idiot like the CEO of this ordeal we would have way less white hats.
I am in a very client facing role, and my clients quite like me. You know nothing about me, and you are completely misunderstanding this situation. I am holding the researcher accountable to how they comported themselves in this interaction instead of dick-riding a fellow hacker I actually do understand what security researchers usually want out of such an interaction. Where things fall apart is that the CEO does _not_ know, then the researcher punished them for their behavior and accessed their data, likely illegally. I am trying to communicate why they got a bad response, and why their response to the bad response was bad. I probably shouldn't have mentioned blackmail because people are focusing on that. I'm mainly trying to say "it reads like it could be blackmail" and they'd have a friendlier interaction with just a little more info upfront.
He is absolutely in his right to write a post about it. He even tried to mediate with a third party. You are delusional if you think somebody owes you something in that situation.
> I'm simply trying to say the researcher would have more pleasant interactions with the people they email if they helped the person understand what they _do_ want out of the interaction instead of just saying they aren't being scammed. If the researcher placed themselves in the shoes of the CEO, they could understand why the CEO responded that way. That's not the same thing as thinking the CEO _should_ have responded that way. I am also not letting the researcher off the hook for responding to the CEOs response the way they did.
As I read it, he wants them to secure their systems and fulfill their legal and ethical obligations to their customers and regulators by notifying them of the breach.
I'm not sure what you find ambiguous or confusing.
Blackmail is when someone says "do $thing or else". That didn't happen here, implicitly or explicitly.
If you're saying the implicit blackmail was "don't be an asshole, or else I'll be unkind when I talk about you later to others", then all of us are always blackmailing one another with every conversation.
Yes, "it would be a shame if something were to happen" is also not extortion, because you aren't actually saying you will visit misery upon them, only implying it. The mistake you are making is assuming the researcher wants literally nothing, or that the CEO can know they want literally nothing. I still have no idea what they actually wanted, and whether there was going to be some sort of value extraction.
I see you read and understood the researcher's emails as well as the CEO did, then...I'm not assuming anything, I'm repeating what was said.
Are you suggesting that lacking understanding of something someone says, one's first reaction should be an asshole to that person, just in case they are trying to sell something?
No, I'm simply trying to say the researcher would have more pleasant interactions with the people they email if they helped the person understand what they _do_ want out of the interaction instead of just saying they aren't being scammed. If the researcher placed themselves in the shoes of the CEO, they could understand why the CEO responded that way. That's not the same thing as thinking the CEO _should_ have responded that way. I am also not letting the researcher off the hook for responding to the CEOs response the way they did.
Oh dear, that really is a poor response by the CEO. Can't wait to see the grovelling apology he comes up with when NZ media/regulator comes asking questions
It looks like the CEO is both clueless and his reports are also probably misleading him. Whoever looked into the security problem probably saw the extent of it. This possibly got downplayed when reported back to the CEO. However rude, the CEO had little reason to lie about the extent of the problem towards the security researcher.
I imagine the conversation between the CEO and his reports included something about "it's no biggie, the passwords were hashed using bcrypt, that's like irreversible encryption" without contextualizing that and mentioning that plaintext auth tokens were also exposed.
Unfortunately, there are people out there (with a seemingly large overlap with CEOs) that have incredibly fragile egos, and any perceived criticism (such as pointing out a dreadful security failure) can result in lies, excessive reactions, defensiveness, denial, insults, scapegoating or even retaliation. Or all of the above.
In situations like this, it feels to me like the reaction is “how dare you think that I would need your help?!”
Once again, one of my rules of thumb holds true: if someone is claiming that their security is "impossible to hack", they're either massively incompetent or they're trying to sell you some BS.
I don't think you get to call yourself polite or well-meaning when you pan them and air their shit out publicly after they respond in a way you don't like. Maybe you were superficially polite, but you do not come across as an angel. I _still_ don't know exactly what your goals are, if you're looking for acknowledgement, payment, or just trying to make the Internet a safer place for users.
I think the around 50 public disclosures I did in the last year where I asked 0 times for anything kinda show I'm not looking for any payments.
There is a huge issue regarding publicly exposed data that no one seems to want to acknowledge or talk about, what you see online? It's 100 times worse.
I'm someone who is trying to raise awareness through my finds, nothing else.
Also I was initially polite to the company, not once but twice, as I am to anyone who I reach out, why wouldn't I be? I want them to fix the issues, not ignore me.
Don't expect the politeness to be infinite though, specially when you start accusing me of harassment and lying about the severity of the exposure that affects thousands of people, the ones I DO care about, not the companies.
Sure you do. The poster was polite, got an extremely rude response, and has no obligation to be polite afterwards.
Airing their shit out is a disclosure of a vulnerability, and it's important to do. Typically you reach out to say, "how would you prefer I do this?" And work through a common understanding. The company flipped the bird, so it got aired very publicly.
I can call myself a bicycle but I don't have any wheels.
Their behavior when things don't go their way belies their initial "politeness". When the transaction didn't go how they wanted, they pulled the trigger on being a dick, publicly. That is a much worse offense that an impolite email. If this were a coworker or a contractor, it would color all of my interactions with them going forward.
Agree. "You're not wrong, Walter, you're just an asshole!" Best case scenario, CEO just got an annoying distraction that was a credible enough threat they had to waste time investigating. Worst case they had a breach and someone is extorting or hacking them. Some grace on the part of the researcher is warranted IMO, despite the amateur handling by the CEO. No one looks good here.
The OP/researcher looks fine. They tried twice to help someone who would eventually prove they didn't deserve they help. They then, after being disrespected, still upheld all the ethical requirements from a security researcher, redacting sensitive information. The CEO looks like a twat waffle, but the researcher is clean, and just looks like someone intolerant of overt disrespect. Being willing to stand up to bullies is admirable, not disheartening.
Even if a guy is an easily hackable asshole, usually accessing the stuff directly and downloading his database is still a crime (at least in the US), stay safe buddy.
From https://databreaches.net/2025/02/24/no-need-to-hack-when-its...
DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email: "We will further investigate this matter internally and do not wish to entertain this matter with your website."
He really missed all the lessons in both manners, common sense and media training.
The tone of the article is unprofessional to say the least. You could remove the argumentative tone, vitriol, and insults and have a more impactful article that reflected well on the author while appropriately warning people against this company. Please, don't choose team troll.
Personally, I find the tone of the article appropriate for the response received. The first email clearly set the tone as cordial and friendly while still being urgent. The response was in a clearly adversarial tone. So the prompter adjusted their tone accordingly.
It wasn't necessary to match tones with the person whom wanted to be uncharitable, but it definitely feels more human to me, which is who the writing is for: humans. I would have been fine with an info dump, but I enjoy turnabout as much as any other fan of fair play.
The author is not acting in a professional role here.
He, in his own time, discovered a pretty serious exposure of information and politely informed them. They decided to not be polite in return. He responded in the same tone as them.
There was never any professional obligation, nor any obligation for the author to inform them of their breach at all, nor was there any obligation to give them time to notify clients before publication. Those are all courtesies.
This man didn't choose team troll, he responded to team troll in kind.
To double down here, the author did the correct thing by using their snarkiness.
If someone who in theory is a professional (the company that left all of this in the open) responds in an unprofessional way from the start - you are done using professional tone. That tool isn't producing results. Stop using that tool.
The goal is not to model perfect manners - it is to bring attention to a breach so it can be remedied. The author understands this and has acted so to achieve this result.
I was also ready to chalk this up to "Yet another security researcher needs to learn how to play well with others..." but the moronic and indigent response from "Sean" makes it clear who's wrong here.
Imagine an alternate universe where "Sean" wasn't so aggressively stupid, and instead replied: "Thanks, JayeLTee, we took the database down while we do an audit. We don't think there were any access, and we would rather you not go public about the findings, but it will take us time to check. Please hold off on your publication until [DATE] and we will be in touch."
There. That didn't take much effort! But, no, "Sean" chose belligerence and threats rather than professionalism. I don't know what is wrong with people who just seem to default to "bad attitude" in their communications.
The alternative universe can be seen on this post: https://jltee.substack.com/p/lcptrackercom-lcptracker-inc-se...
The company did reach out and said something similar, I held my publication for months months waiting for a reply which they said they would send and ended up finding out their were filing breach notifications to multiple states and never said anything back to me.
Not a journalist or a reporter, posts aren't meant to be professional. The only reason I even write any of my posts is because companies DO NOT disclose incidents at all, so I have to do it for them.
I thoroughly enjoyed the post and thought your tone was appropriate, entertaining, and kind of kethartic. You didn't call them names, engage in ad hominem, or do anything click-batey. You were understandably irritated at how they talked to you and how they were clearly trying to hide a massive exposure from their users. And then you shredded them with data.
A+ - And thanks for trying to keep folks like this honest!
sure you're a journalist, but the best kind! Gonzo![0]
I found the tone highly entertaining; don't let the haters wear you down
0 https://en.wikipedia.org/wiki/Gonzo_journalism
why is the author obligated to use a professional tone?
The author is more professional than the sean was, and conveys the correct amount of disgust we should all hold for this company and it's leadership.
The point of the essay was to be disrespectful of the CEO. Slightly less disrespectful than the CEO was, so IMO he still holds onto the high ground of ethics.
Please do choose team troll. The correct response to someone being a shitter, is not always to kill them with kindness. A lot of the time it is, but this time, I'm clearly on the authors side. He tried twice to be kind, was ignored and then insulted. When really he was owed a thank you, not to be disrespected.
Your comment is unprofessional, the CEO in question deserves a lot more vitriol frankly.
The tone doesn't have to be professional. Not everybody owes you professional courtesy, especially when you're giving away personal information on your customers.
To be fair, security through denial, lies and intimidation is the industry standard.
Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.
Technically speaking if there's nothing to break, it is unbreakable right? Also if you change the law about some crime, you don't have a crime anymore...
Dang this is real life. “We didn’t used to do it but..”
Some powerful people subscribe to the idea that "if I (or the law) says don't touch it, it's secure". This attitude was on full display a little over three years ago in Missouri. https://missouriindependent.com/2021/10/14/missouri-governor...
Missouri
fixed, thank you.
> my employer recently bought another outfit that does that does just that [leaves passwords in cleartext], and fixing it is not a near term option
Could you expand on why not? I can't think of a good reason why this isn't a relatively quick fix. What's the blocker?
It requires programming in a language specific to one little known db product, in an extremely brittle and spaghettified code base . There's exactly one person in the company who kinda knows how to do it, and they're unavailable for the foreseeable future on higher priorities. We don't have the money to throw at new hires or huge porting projects.
Imagine software that has been in production since the 80's, was written by a very inexperienced dev and has since been continually "organically" upgraded to handle any new promise that a nontechnical product manager feels is necessary to solve the immediate problem of an angry customer. It's a Janga tower with a reset button.
> they're unavailable for the foreseeable future on higher priorities
Need I respond to that?
If you know the secret to getting a company to prioritize potential security problems that haven't yet emerged in forty years over meeting payroll, please share.
why does it sound like you're defending the argument of;
I couldn't act ethically because I had to make money.
My paycheck depends on reconciling myself to it. Should I quit possibly my last job before retirement in a bleak job market to protest my manager's decision to protect her job and mine by putting revenue before protecting jane@doe.com's login from being stolen for the Nth time? Am I the bad guy?
It's not my place to define your ethics for you. I'm pointing out so any other readers can be innoculated from accidentally stumbling into this ethical minefield.
I'm not telling you stealing bread so your family doesn't starve is unethical, I'm pointing out it's stealing.
No idea if you're the bad guy, but you're not the ~~good guy~~ hero, no.
I'm a participant in sub-criminal negligence rather than stealing. I'd call that a lesser offense. And it's a failure I have mitigated by working to protect the data. I can't claim innocence, but I sleep OK.
It's also not about bread, because that was just an analogy.
I would sleep ok too, until something bad happened and people I had a responsibility to protect got hurt. Then I wouldn't sleep so well... Turns out humans are really bad at risk calculations.
(not op, just hypothesising)
> I can't think of a good reason why this isn't a quick fix.
What if there's some IoT product with no update mechanism and the access password to function is stored on all of them in plain text?
Possibly, but that's a very different scenario to a database of cleartext passwords (which is what I assumed was meant), as each device would have to be identified and compromised to access a password to a device which at that point is already compromised...
I'm confused about the chronology here:
1. He discovers an unprotected database.
2. He mails the CEO of the company.
3. The database is fixed.
4. He mails the CEO again to say he's publishing.
5. The CEO replies and says there was no security breach.
6. He goes spelunking in the database tables to write a rebuttal?
How does step 6 happen? What has this person exfiltrated from the database, in advance of losing access to it in step 3?
Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
I'm wondering how it's possible that step 6 happened, not what the motivations are. It's written in multiple places as if database queries were issued after the database was taken down.
If they took an hour for the "fix" I guess it wasn't one.
Did you not consider the CEO would just lie about fixing something?
I assume the author isn't lying when they acknowledged that it had been.
I'm lost, what are you referring to? The author references the claim by the CEO, and then goes on to prove it was a lie.
That's a very common linguistical pattern.
The email that the author sends to the CEO, in which his rationale for immediate disclosure is the fact that the database was fixed.
To which the CEO was rude and dismissive and threatening. Which is often a sign of having something to hide. I assume the author decided to then verify if the threats were made from a position of strength or weakness.
I read his email as a polite gesture, giving them a chance to request more time. I'm still confused as to what parts you're missing. Are you trying to imply something, or do you really not understand that people can lie and withhold information?
Did you miss this bit from the article:
> The email was read by someone, I assume the CEO, and less than an hour after it was sent, I could not connect to the exposed server anymore.
This was after the author’s first email, and before the CEOs reply.
What tptacek was getting at is that the article is a bit unclear on when the review of DB contents occurred, since the author no longer had access. (But I think it’s just because the author reviewed the contents already before they reported the issue.)
I think the data he discloses in the post is the one that he got before getting in contact with the company. He does this in order to prove that the database was accesible to anyone on the internet, instead of the "no breach at all" claimed on the response email.
He writes as if he has access to large quantities of data after the CEO responded to him, which implies that it was after the exposed database was fixed, as the author acknowledges in the email he sent to the CEO.
No I did not query the database after it was exposed.
The information I had was from when the database was publicly exposed.
I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.
I would of probably skipped over this, but after their response I wondered if there was more to it.
The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).
[dead]
TBH it sounds like he exfil'ed / downloaded the database before reporting.
Isn't this a jurisdictional crime that a well connected CEO could get him in a lot of trouble for?
I can see how the CEO would consider the initial email to be a scam, sales pitch, or blackmail (still not entirely sure it doesn't qualify as the last two). I'm sure there have been plenty of emails that qualify as such disclaiming themselves so. Of course, I wouldn't have responded how he did; he needed to tread carefully here when he followed up to learn there was an actual breach, but I totally get why he responded that way. Maybe in the future when making initial contact, instead of telling them only that you aren't scamming them or selling something, tell them what you DO want, or at least tell them you will follow up, just let them know how this goes. That would probably make the medicine go down a bit easier when you follow up later.
Ultimately, when you did air out their laundry after they responded poorly, it did kind of feel like you were blackmailing them.
I told him everything he needed to know to fix the exposure on my initial contact on the exact same email I tell him I'm not asking for anything. I even told him some information about the exposed tables.
Backed by the fact that 1 hour after my email, the exposure was closed and the company never replied back to me, it was only after I followed up they emailed all those claims.
Again, I never asked for anything, I even offered to delay my publication so they could notify people if that was their intent, where is the blackmail here?
Like I said in another comment, I _still_ don't know what you want from them. If you don't want money and it's not a scam, why are you emailing them? That's what I'm saying, the email feels sketchy, I would NOT be happy to receive such an email. And though perhaps legal (though actually accessing the exposed data was perhaps not legal), publicly humiliating them after the fact when they behave in a way you don't like (sketchy behavior) indicates to me you had sketchy intentions to begin with.
>If you don't want money and it's not a scam, why are you emailing them?
It may be shocking to you, but some security researchers notify companies when they are exposing data of their customers. That's it! Simple.
When I notice that thousands of people's personal information is available, I also will email the company and let them know that they are exposing the information of their customers. I don't want money in return. My hobby is security, my payment is knowing that I helped thousands of people out.
>I would NOT be happy to receive such an email.
You would rather just continue to expose your customer's information? Interesting... I don't think you have the ethical high ground here, if that is your position.
Does the CEO know this when you email them?
While it's hard to convey "this is 100% not a scam" without sounding suspicious, in the example of this article they tried to get it across at the very start. It's on the CEO for becoming hostile to someone who asked for nothing in return and wasn't making any threat.
> First of all, please do not ignore this email, this is not a scam attempt nor am I trying to sell anything, I am just alerting and looking for help closing down a security issue […]
This seems like a good hint.
I can't tell if people are being deliberately dense as a way of punishing me for having a critical opinion, not reading the rest of the comments before responding to me, or genuinely do not understand what I am getting at.
A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you. Humans famously have the capability of lying. Someone telling me they are _not_ selling something or scamming me doesn't actually tell me what they want, and it does not provide me with enough information to know that they are not, in fact, scamming me. It just lets me know they don't want me to think I am being scammed.
Does the CEO know what?
The motivations behind the researcher emailing them.
I hope you are not in a client-facing role, as you appear to lack the ability to understand another's perspective. Security researchers rely on publications and recognition from security platforms to build their CVs. That's what he wanted. Think about it that way if everyone was a n idiot like the CEO of this ordeal we would have way less white hats.
I am in a very client facing role, and my clients quite like me. You know nothing about me, and you are completely misunderstanding this situation. I am holding the researcher accountable to how they comported themselves in this interaction instead of dick-riding a fellow hacker I actually do understand what security researchers usually want out of such an interaction. Where things fall apart is that the CEO does _not_ know, then the researcher punished them for their behavior and accessed their data, likely illegally. I am trying to communicate why they got a bad response, and why their response to the bad response was bad. I probably shouldn't have mentioned blackmail because people are focusing on that. I'm mainly trying to say "it reads like it could be blackmail" and they'd have a friendlier interaction with just a little more info upfront.
He is absolutely in his right to write a post about it. He even tried to mediate with a third party. You are delusional if you think somebody owes you something in that situation.
> I'm simply trying to say the researcher would have more pleasant interactions with the people they email if they helped the person understand what they _do_ want out of the interaction instead of just saying they aren't being scammed. If the researcher placed themselves in the shoes of the CEO, they could understand why the CEO responded that way. That's not the same thing as thinking the CEO _should_ have responded that way. I am also not letting the researcher off the hook for responding to the CEOs response the way they did.
You are right if you just look at the emails you are disregarding the attempt to mediate via a third party. In which the ceo reacted in the same way.
As I read it, he wants them to secure their systems and fulfill their legal and ethical obligations to their customers and regulators by notifying them of the breach.
I'm not sure what you find ambiguous or confusing.
There are 2 sides to every story, with the other side being a potential business opportunity. /s
That's...not what blackmail is.
Blackmail is when someone says "do $thing or else". That didn't happen here, implicitly or explicitly.
If you're saying the implicit blackmail was "don't be an asshole, or else I'll be unkind when I talk about you later to others", then all of us are always blackmailing one another with every conversation.
Yes, "it would be a shame if something were to happen" is also not extortion, because you aren't actually saying you will visit misery upon them, only implying it. The mistake you are making is assuming the researcher wants literally nothing, or that the CEO can know they want literally nothing. I still have no idea what they actually wanted, and whether there was going to be some sort of value extraction.
I see you read and understood the researcher's emails as well as the CEO did, then...I'm not assuming anything, I'm repeating what was said.
Are you suggesting that lacking understanding of something someone says, one's first reaction should be an asshole to that person, just in case they are trying to sell something?
No, I'm simply trying to say the researcher would have more pleasant interactions with the people they email if they helped the person understand what they _do_ want out of the interaction instead of just saying they aren't being scammed. If the researcher placed themselves in the shoes of the CEO, they could understand why the CEO responded that way. That's not the same thing as thinking the CEO _should_ have responded that way. I am also not letting the researcher off the hook for responding to the CEOs response the way they did.
Oh dear, that really is a poor response by the CEO. Can't wait to see the grovelling apology he comes up with when NZ media/regulator comes asking questions
It looks like the CEO is both clueless and his reports are also probably misleading him. Whoever looked into the security problem probably saw the extent of it. This possibly got downplayed when reported back to the CEO. However rude, the CEO had little reason to lie about the extent of the problem towards the security researcher.
I imagine the conversation between the CEO and his reports included something about "it's no biggie, the passwords were hashed using bcrypt, that's like irreversible encryption" without contextualizing that and mentioning that plaintext auth tokens were also exposed.
Unfortunately, there are people out there (with a seemingly large overlap with CEOs) that have incredibly fragile egos, and any perceived criticism (such as pointing out a dreadful security failure) can result in lies, excessive reactions, defensiveness, denial, insults, scapegoating or even retaliation. Or all of the above.
In situations like this, it feels to me like the reaction is “how dare you think that I would need your help?!”
Name and shame. Great job, great write up.
That's almost too good to be true - - that the CEO thought that Proton was the author's company
Once again, one of my rules of thumb holds true: if someone is claiming that their security is "impossible to hack", they're either massively incompetent or they're trying to sell you some BS.
Not very polite or understanding.
Wants to be helpful but comes across as aggressive, names and shames them, insults and ridicules them... come on, you can do better.
OP here, the one who found the exposed data.
Not sure if you read my 2 emails to the company but I would say I was polite to them and was met with accusations of harassment and straight up lies.
Don't expect me to pat you in the back if you come at me with such claims when I simply alerted you of a security issue.
I don't think you get to call yourself polite or well-meaning when you pan them and air their shit out publicly after they respond in a way you don't like. Maybe you were superficially polite, but you do not come across as an angel. I _still_ don't know exactly what your goals are, if you're looking for acknowledgement, payment, or just trying to make the Internet a safer place for users.
I think the around 50 public disclosures I did in the last year where I asked 0 times for anything kinda show I'm not looking for any payments.
There is a huge issue regarding publicly exposed data that no one seems to want to acknowledge or talk about, what you see online? It's 100 times worse.
I'm someone who is trying to raise awareness through my finds, nothing else.
Also I was initially polite to the company, not once but twice, as I am to anyone who I reach out, why wouldn't I be? I want them to fix the issues, not ignore me.
Don't expect the politeness to be infinite though, specially when you start accusing me of harassment and lying about the severity of the exposure that affects thousands of people, the ones I DO care about, not the companies.
Sure you do. The poster was polite, got an extremely rude response, and has no obligation to be polite afterwards.
Airing their shit out is a disclosure of a vulnerability, and it's important to do. Typically you reach out to say, "how would you prefer I do this?" And work through a common understanding. The company flipped the bird, so it got aired very publicly.
I can call myself a bicycle but I don't have any wheels.
Their behavior when things don't go their way belies their initial "politeness". When the transaction didn't go how they wanted, they pulled the trigger on being a dick, publicly. That is a much worse offense that an impolite email. If this were a coworker or a contractor, it would color all of my interactions with them going forward.
Agree. "You're not wrong, Walter, you're just an asshole!" Best case scenario, CEO just got an annoying distraction that was a credible enough threat they had to waste time investigating. Worst case they had a breach and someone is extorting or hacking them. Some grace on the part of the researcher is warranted IMO, despite the amateur handling by the CEO. No one looks good here.
The OP/researcher looks fine. They tried twice to help someone who would eventually prove they didn't deserve they help. They then, after being disrespected, still upheld all the ethical requirements from a security researcher, redacting sensitive information. The CEO looks like a twat waffle, but the researcher is clean, and just looks like someone intolerant of overt disrespect. Being willing to stand up to bullies is admirable, not disheartening.
Even if a guy is an easily hackable asshole, usually accessing the stuff directly and downloading his database is still a crime (at least in the US), stay safe buddy.
[dead]