Ex-contractor published company source code and secrets onlineEffect of Source Code Leakage of a security suite on securityWhat to do in response to a source code and/or database leak by a third party hosting provider?Source code securityCode, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SIDRestricting source code exposure

Most practical knots for hitching a line to an object while keeping the bitter end as tight as possible, without sag?

Is refusing to concede in the face of an unstoppable Nexus combo punishable?

Would it be possible to have a GMO that produces chocolate?

How to write triplets in 4/4 time without using a 3 on top of the notes all the time

grade 5 bolts not marked if galvanized?

Which household object drew this pattern?

Check in to 2 hotels at same location

Why does my house heat up, even when it's cool outside?

Does the length of a Scientific report imply anything about credibility or thoroughness?

In what ways can a Non-paladin access Paladin spells?

Script that helps people make better choices

LeetCode: Pascal's Triangle C#

How to dismiss intrusive questions from a colleague with whom I don't work?

Why doesn't the Falcon-9 first stage use three legs to land?

Nth Problem with TikZ and Extensive Form Games

Was Tuvok bluffing when he said that Voyager's transporters rendered the Kazon weapons useless?

Sleeping solo in a double sleeping bag

Why is my Earth simulation slower than the reality?

Why does The Ancient One think differently about Doctor Strange in Endgame than the film Doctor Strange?

Fried gnocchi with spinach, bacon, cream sauce in a single pan

What professions would a medieval village with a population of 100 need?

Is “I am getting married with my sister” ambiguous?

How is "sein" conjugated in this sub-sentence?

How to persuade recruiters to send me the Job Description?



Ex-contractor published company source code and secrets online


Effect of Source Code Leakage of a security suite on securityWhat to do in response to a source code and/or database leak by a third party hosting provider?Source code securityCode, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SIDRestricting source code exposure






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








106















Just found my current company code on the plain internet.



We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.



Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.



This appear to be the personal website of a contractor who worked here 5 years ago.



Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...



Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.



It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.



What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?



I am in the UK. The contractor is in the US.










share|improve this question





















  • 87





    You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

    – MechMK1
    Aug 9 at 12:15






  • 4





    "Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

    – Moo
    Aug 9 at 23:24






  • 16





    I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

    – Peter A. Schneider
    Aug 10 at 11:17







  • 6





    @PeterA.Schneider That's really something that should only be done after contacting legal.

    – Mast
    Aug 11 at 7:50






  • 3





    @WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

    – MechMK1
    Aug 12 at 10:33

















106















Just found my current company code on the plain internet.



We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.



Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.



This appear to be the personal website of a contractor who worked here 5 years ago.



Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...



Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.



It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.



What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?



I am in the UK. The contractor is in the US.










share|improve this question





















  • 87





    You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

    – MechMK1
    Aug 9 at 12:15






  • 4





    "Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

    – Moo
    Aug 9 at 23:24






  • 16





    I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

    – Peter A. Schneider
    Aug 10 at 11:17







  • 6





    @PeterA.Schneider That's really something that should only be done after contacting legal.

    – Mast
    Aug 11 at 7:50






  • 3





    @WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

    – MechMK1
    Aug 12 at 10:33













106












106








106


24






Just found my current company code on the plain internet.



We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.



Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.



This appear to be the personal website of a contractor who worked here 5 years ago.



Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...



Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.



It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.



What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?



I am in the UK. The contractor is in the US.










share|improve this question
















Just found my current company code on the plain internet.



We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s), all concatenated into one file.



Didn't have time to go through everything yet. Quick search for exposed databases and credentials is hinting toward other files/functions that are missing.



This appear to be the personal website of a contractor who worked here 5 years ago.



Edit 1 hour later: Found sensitive information from every company that guy worked for in the last 2 decades, mostly F500: huge national bank, postal service, large electronics manufacturer, general electric...



Mix of code, configuration, notes and what appears to be console input logs. No idea why a guy would keylog himself let alone publish it on the internet, this is really odd.



It's a treasure trove. There are references to all kinds of internals with sometimes username and password. FTP access to production servers. SSH access to god knows what, even with the one-time RSA token number that was used if it was 2FA protected.



What can be done about that and who to contact? Cyber? Legal? FBI? SEC? Other? Any combination of these?



I am in the UK. The contractor is in the US.







data-leakage legal infoleak






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 11 at 11:58









a CVn

6,8581 gold badge24 silver badges48 bronze badges




6,8581 gold badge24 silver badges48 bronze badges










asked Aug 9 at 10:57









user5994461user5994461

6312 gold badges5 silver badges4 bronze badges




6312 gold badges5 silver badges4 bronze badges










  • 87





    You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

    – MechMK1
    Aug 9 at 12:15






  • 4





    "Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

    – Moo
    Aug 9 at 23:24






  • 16





    I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

    – Peter A. Schneider
    Aug 10 at 11:17







  • 6





    @PeterA.Schneider That's really something that should only be done after contacting legal.

    – Mast
    Aug 11 at 7:50






  • 3





    @WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

    – MechMK1
    Aug 12 at 10:33












  • 87





    You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

    – MechMK1
    Aug 9 at 12:15






  • 4





    "Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

    – Moo
    Aug 9 at 23:24






  • 16





    I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

    – Peter A. Schneider
    Aug 10 at 11:17







  • 6





    @PeterA.Schneider That's really something that should only be done after contacting legal.

    – Mast
    Aug 11 at 7:50






  • 3





    @WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

    – MechMK1
    Aug 12 at 10:33







87




87





You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

– MechMK1
Aug 9 at 12:15





You should absolutely get in touch with a lawyer ASAP. As far as I am aware, the UK is affected by the GDPR, so you may have to report a breach as well. IMHO, this should be a code red for you.

– MechMK1
Aug 9 at 12:15




4




4





"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

– Moo
Aug 9 at 23:24





"Console input logs" - be aware that most unix systems do this by default, for example ".bash_history" in your home folder.

– Moo
Aug 9 at 23:24




16




16





I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

– Peter A. Schneider
Aug 10 at 11:17






I'd assume that this is an oversight: Most likely botched access permissions of a personal backup in the cloud. Have you considered simply contacting the contractor? They may still even have the same phone number! That may be the fastest and easiest way to take it down. (Legal aftermath for them not withstanding. Damage can be huge.)

– Peter A. Schneider
Aug 10 at 11:17





6




6





@PeterA.Schneider That's really something that should only be done after contacting legal.

– Mast
Aug 11 at 7:50





@PeterA.Schneider That's really something that should only be done after contacting legal.

– Mast
Aug 11 at 7:50




3




3





@WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

– MechMK1
Aug 12 at 10:33





@WGroleau That might be true, but the company affected by the breach may very well be affected by GDPR. After all, they are obligated to notify the relevant authorities of the breach.

– MechMK1
Aug 12 at 10:33










8 Answers
8






active

oldest

votes


















83













First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.



Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.



Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.



Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.



Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.



Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.



Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.



Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).



I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.



You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.



Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.






share|improve this answer






















  • 59





    This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

    – Conor Mancone
    Aug 9 at 13:42






  • 4





    @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

    – Tin Can
    Aug 9 at 20:54






  • 6





    @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

    – Conor Mancone
    Aug 9 at 21:01






  • 20





    Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

    – MaxW
    Aug 10 at 6:19






  • 4





    Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

    – jpaugh
    Aug 11 at 6:14


















26













You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.



You could also contact the other companies affected.



Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.






share|improve this answer
































    20













    It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.



    Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.






    share|improve this answer
































      17













      If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.



      This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.



      Don't try to do anything outside of the company by yourself.



      Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.



      If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.






      share|improve this answer
































        8













        For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.






        share|improve this answer

























        • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

          – Peter A. Schneider
          Aug 10 at 11:13






        • 3





          @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

          – Moo
          Aug 10 at 11:43






        • 1





          Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

          – Peter A. Schneider
          Aug 10 at 12:16











        • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

          – mckenzm
          Aug 11 at 5:25











        • @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

          – jpaugh
          Aug 11 at 6:24


















        2













        I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.



        Let the owner/COO/corporate counsel contact law enforcement.



        US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.



        Let the lawyers handle any screenshots.



        Let law enforcement notify other entities that their sensitive information has leaked.






        share|improve this answer



























        • I'm unfamiliar with the term "LE". Can you explain?

          – chue x
          Aug 12 at 14:04






        • 1





          @chuex: possibly Law Enforcement?

          – Christian Severin
          Aug 12 at 14:29


















        1













        This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.



        Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.



        Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?



        By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.



        You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.



        You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?



        Something smells bad here.



        As the top answer said, go to a lawyer, but don't go in bad faith.






        share|improve this answer


































          0













          First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.



          Also same time initiate the complain to take down the site and stop spread of data on internet.



          These are important. First protect your business. Later you can go for legal proceedings on the person.






          share|improve this answer

























          • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

            – Thomas Weller
            Aug 12 at 19:14













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215025%2fex-contractor-published-company-source-code-and-secrets-online%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          8 Answers
          8






          active

          oldest

          votes








          8 Answers
          8






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          83













          First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.



          Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.



          Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.



          Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.



          Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.



          Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.



          Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.



          Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).



          I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.



          You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.



          Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.






          share|improve this answer






















          • 59





            This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

            – Conor Mancone
            Aug 9 at 13:42






          • 4





            @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

            – Tin Can
            Aug 9 at 20:54






          • 6





            @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

            – Conor Mancone
            Aug 9 at 21:01






          • 20





            Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

            – MaxW
            Aug 10 at 6:19






          • 4





            Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

            – jpaugh
            Aug 11 at 6:14















          83













          First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.



          Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.



          Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.



          Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.



          Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.



          Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.



          Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.



          Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).



          I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.



          You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.



          Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.






          share|improve this answer






















          • 59





            This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

            – Conor Mancone
            Aug 9 at 13:42






          • 4





            @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

            – Tin Can
            Aug 9 at 20:54






          • 6





            @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

            – Conor Mancone
            Aug 9 at 21:01






          • 20





            Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

            – MaxW
            Aug 10 at 6:19






          • 4





            Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

            – jpaugh
            Aug 11 at 6:14













          83












          83








          83







          First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.



          Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.



          Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.



          Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.



          Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.



          Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.



          Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.



          Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).



          I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.



          You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.



          Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.






          share|improve this answer















          First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.



          Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.



          Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.



          Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.



          Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.



          Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.



          Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.



          Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).



          I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.



          You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.



          Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Aug 12 at 6:32









          Michael

          1,21912 silver badges27 bronze badges




          1,21912 silver badges27 bronze badges










          answered Aug 9 at 13:04









          Unicorn TearsUnicorn Tears

          1,1431 silver badge5 bronze badges




          1,1431 silver badge5 bronze badges










          • 59





            This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

            – Conor Mancone
            Aug 9 at 13:42






          • 4





            @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

            – Tin Can
            Aug 9 at 20:54






          • 6





            @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

            – Conor Mancone
            Aug 9 at 21:01






          • 20





            Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

            – MaxW
            Aug 10 at 6:19






          • 4





            Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

            – jpaugh
            Aug 11 at 6:14












          • 59





            This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

            – Conor Mancone
            Aug 9 at 13:42






          • 4





            @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

            – Tin Can
            Aug 9 at 20:54






          • 6





            @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

            – Conor Mancone
            Aug 9 at 21:01






          • 20





            Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

            – MaxW
            Aug 10 at 6:19






          • 4





            Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

            – jpaugh
            Aug 11 at 6:14







          59




          59





          This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

          – Conor Mancone
          Aug 9 at 13:42





          This is pretty helpful, but I'd change one thing. When it comes to other people's data, absolutely do not, under any circumstances, screenshot download, or even (to the extent you can avoid it), view it. You seem a bit uncertain about that point, but the law is very clear in almost all jurisdictions. Any attempt to download or record someone else's data, without their permission, even when already leaked, may end with you or your company in your own legal trouble with that company.

          – Conor Mancone
          Aug 9 at 13:42




          4




          4





          @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

          – Tin Can
          Aug 9 at 20:54





          @ConorMancone Would it be worth contacting the company if they're identifiable by something like filename? I am guessing the OP is seeing some sort of listing. If the OP sees a folder called stackexchange.com, I would think it would be fine to send stackexchange a link to the listing. Like "hey, thought you'd like to know, haven't checked it out, but you should."

          – Tin Can
          Aug 9 at 20:54




          6




          6





          @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

          – Conor Mancone
          Aug 9 at 21:01





          @TinCan I think that is perfectly reasonable. You obviously can't avoid seeing things, and so knowing the name of companies involved is explainable and reasonable. However, if they ask you anything about the details of what you found, you need to be able to say honestly and unequivocally, "I did not in anyway download or save any information from your company. I saw just enough to identify you as a victim, and stopped looking further as soon as I saw that it was confidential information"

          – Conor Mancone
          Aug 9 at 21:01




          20




          20





          Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

          – MaxW
          Aug 10 at 6:19





          Don't contact anyone on your own. Let the company lawyer contact any third party if the lawyer so desires. At this point you absolutely want the support of your companies legal team. Let them lead.

          – MaxW
          Aug 10 at 6:19




          4




          4





          Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

          – jpaugh
          Aug 11 at 6:14





          Great answer. "The same thing from an internal person is often considered to count for little" I would say the internal person would be relieved not to take professional responsibility for the accuracy of their report; whereas an external agent will have lawyers and insurance, etc.

          – jpaugh
          Aug 11 at 6:14













          26













          You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.



          You could also contact the other companies affected.



          Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.






          share|improve this answer





























            26













            You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.



            You could also contact the other companies affected.



            Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.






            share|improve this answer



























              26












              26








              26







              You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.



              You could also contact the other companies affected.



              Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.






              share|improve this answer













              You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.



              You could also contact the other companies affected.



              Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Aug 9 at 11:20









              schroederschroeder

              85.1k34 gold badges190 silver badges228 bronze badges




              85.1k34 gold badges190 silver badges228 bronze badges
























                  20













                  It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.



                  Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.






                  share|improve this answer





























                    20













                    It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.



                    Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.






                    share|improve this answer



























                      20












                      20








                      20







                      It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.



                      Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.






                      share|improve this answer













                      It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.



                      Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Aug 9 at 12:28









                      user3583489user3583489

                      3213 bronze badges




                      3213 bronze badges
























                          17













                          If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.



                          This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.



                          Don't try to do anything outside of the company by yourself.



                          Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.



                          If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.






                          share|improve this answer





























                            17













                            If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.



                            This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.



                            Don't try to do anything outside of the company by yourself.



                            Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.



                            If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.






                            share|improve this answer



























                              17












                              17








                              17







                              If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.



                              This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.



                              Don't try to do anything outside of the company by yourself.



                              Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.



                              If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.






                              share|improve this answer













                              If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.



                              This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.



                              Don't try to do anything outside of the company by yourself.



                              Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.



                              If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Aug 11 at 10:29









                              Roger LucasRoger Lucas

                              1712 bronze badges




                              1712 bronze badges
























                                  8













                                  For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.






                                  share|improve this answer

























                                  • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                    – Peter A. Schneider
                                    Aug 10 at 11:13






                                  • 3





                                    @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                    – Moo
                                    Aug 10 at 11:43






                                  • 1





                                    Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                    – Peter A. Schneider
                                    Aug 10 at 12:16











                                  • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                    – mckenzm
                                    Aug 11 at 5:25











                                  • @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                    – jpaugh
                                    Aug 11 at 6:24















                                  8













                                  For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.






                                  share|improve this answer

























                                  • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                    – Peter A. Schneider
                                    Aug 10 at 11:13






                                  • 3





                                    @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                    – Moo
                                    Aug 10 at 11:43






                                  • 1





                                    Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                    – Peter A. Schneider
                                    Aug 10 at 12:16











                                  • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                    – mckenzm
                                    Aug 11 at 5:25











                                  • @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                    – jpaugh
                                    Aug 11 at 6:24













                                  8












                                  8








                                  8







                                  For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.






                                  share|improve this answer













                                  For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.







                                  share|improve this answer












                                  share|improve this answer



                                  share|improve this answer










                                  answered Aug 9 at 23:28









                                  MooMoo

                                  1811 bronze badge




                                  1811 bronze badge















                                  • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                    – Peter A. Schneider
                                    Aug 10 at 11:13






                                  • 3





                                    @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                    – Moo
                                    Aug 10 at 11:43






                                  • 1





                                    Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                    – Peter A. Schneider
                                    Aug 10 at 12:16











                                  • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                    – mckenzm
                                    Aug 11 at 5:25











                                  • @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                    – jpaugh
                                    Aug 11 at 6:24

















                                  • I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                    – Peter A. Schneider
                                    Aug 10 at 11:13






                                  • 3





                                    @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                    – Moo
                                    Aug 10 at 11:43






                                  • 1





                                    Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                    – Peter A. Schneider
                                    Aug 10 at 12:16











                                  • Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                    – mckenzm
                                    Aug 11 at 5:25











                                  • @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                    – jpaugh
                                    Aug 11 at 6:24
















                                  I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                  – Peter A. Schneider
                                  Aug 10 at 11:13





                                  I would think that a professional provider would take down such a file "immediately" (i.e., after a quick look at it to corroborate your findings) after you alert them and present a few of your information details in there which should obviously not be online.

                                  – Peter A. Schneider
                                  Aug 10 at 11:13




                                  3




                                  3





                                  @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                  – Moo
                                  Aug 10 at 11:43





                                  @PeterA.Schneider most decent providers should act under the safe harbour protections, which means they cannot make those sort of determinations - best to send a proper legal request such as under the DMCA which allows them to take down the content without making a determination. A provider that validates your request by looking at the content and makes a determination opens themselves up to massive liability.

                                  – Moo
                                  Aug 10 at 11:43




                                  1




                                  1





                                  Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                  – Peter A. Schneider
                                  Aug 10 at 12:16





                                  Yes, of course the legal avenue should be pursued in parallel. But in case of a gross and obvious data leak ("major bank", "passwords" etc.) I believe the provider has a duty to act immediately as well when alerted of it, in order to avoid further damage to third parties. It's conflicting duties for sure, and it will be important to give good proof.

                                  – Peter A. Schneider
                                  Aug 10 at 12:16













                                  Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                  – mckenzm
                                  Aug 11 at 5:25





                                  Be aware that outside of the US, DMCA requests are not free, and substantial costs may be involved.

                                  – mckenzm
                                  Aug 11 at 5:25













                                  @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                  – jpaugh
                                  Aug 11 at 6:24





                                  @PeterA.Schneider FWIW, You should never pursue an other-than-legal avenue. ;-) I would expect a DMCA letter to be prioritized over a "mere" support request --- e.g. it doesn't need to be triaged before responding --- so that actually might be the quickest way to notify the right technical staff.

                                  – jpaugh
                                  Aug 11 at 6:24











                                  2













                                  I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.



                                  Let the owner/COO/corporate counsel contact law enforcement.



                                  US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.



                                  Let the lawyers handle any screenshots.



                                  Let law enforcement notify other entities that their sensitive information has leaked.






                                  share|improve this answer



























                                  • I'm unfamiliar with the term "LE". Can you explain?

                                    – chue x
                                    Aug 12 at 14:04






                                  • 1





                                    @chuex: possibly Law Enforcement?

                                    – Christian Severin
                                    Aug 12 at 14:29















                                  2













                                  I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.



                                  Let the owner/COO/corporate counsel contact law enforcement.



                                  US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.



                                  Let the lawyers handle any screenshots.



                                  Let law enforcement notify other entities that their sensitive information has leaked.






                                  share|improve this answer



























                                  • I'm unfamiliar with the term "LE". Can you explain?

                                    – chue x
                                    Aug 12 at 14:04






                                  • 1





                                    @chuex: possibly Law Enforcement?

                                    – Christian Severin
                                    Aug 12 at 14:29













                                  2












                                  2








                                  2







                                  I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.



                                  Let the owner/COO/corporate counsel contact law enforcement.



                                  US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.



                                  Let the lawyers handle any screenshots.



                                  Let law enforcement notify other entities that their sensitive information has leaked.






                                  share|improve this answer















                                  I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.



                                  Let the owner/COO/corporate counsel contact law enforcement.



                                  US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.



                                  Let the lawyers handle any screenshots.



                                  Let law enforcement notify other entities that their sensitive information has leaked.







                                  share|improve this answer














                                  share|improve this answer



                                  share|improve this answer








                                  edited Aug 14 at 13:11

























                                  answered Aug 12 at 12:49









                                  Daisuke AramakiDaisuke Aramaki

                                  213 bronze badges




                                  213 bronze badges















                                  • I'm unfamiliar with the term "LE". Can you explain?

                                    – chue x
                                    Aug 12 at 14:04






                                  • 1





                                    @chuex: possibly Law Enforcement?

                                    – Christian Severin
                                    Aug 12 at 14:29

















                                  • I'm unfamiliar with the term "LE". Can you explain?

                                    – chue x
                                    Aug 12 at 14:04






                                  • 1





                                    @chuex: possibly Law Enforcement?

                                    – Christian Severin
                                    Aug 12 at 14:29
















                                  I'm unfamiliar with the term "LE". Can you explain?

                                  – chue x
                                  Aug 12 at 14:04





                                  I'm unfamiliar with the term "LE". Can you explain?

                                  – chue x
                                  Aug 12 at 14:04




                                  1




                                  1





                                  @chuex: possibly Law Enforcement?

                                  – Christian Severin
                                  Aug 12 at 14:29





                                  @chuex: possibly Law Enforcement?

                                  – Christian Severin
                                  Aug 12 at 14:29











                                  1













                                  This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.



                                  Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.



                                  Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?



                                  By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.



                                  You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.



                                  You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?



                                  Something smells bad here.



                                  As the top answer said, go to a lawyer, but don't go in bad faith.






                                  share|improve this answer































                                    1













                                    This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.



                                    Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.



                                    Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?



                                    By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.



                                    You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.



                                    You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?



                                    Something smells bad here.



                                    As the top answer said, go to a lawyer, but don't go in bad faith.






                                    share|improve this answer





























                                      1












                                      1








                                      1







                                      This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.



                                      Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.



                                      Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?



                                      By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.



                                      You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.



                                      You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?



                                      Something smells bad here.



                                      As the top answer said, go to a lawyer, but don't go in bad faith.






                                      share|improve this answer















                                      This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.



                                      Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.



                                      Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?



                                      By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.



                                      You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.



                                      You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?



                                      Something smells bad here.



                                      As the top answer said, go to a lawyer, but don't go in bad faith.







                                      share|improve this answer














                                      share|improve this answer



                                      share|improve this answer








                                      edited Aug 12 at 13:37

























                                      answered Aug 12 at 13:31









                                      coolpastacoolpasta

                                      1113 bronze badges




                                      1113 bronze badges
























                                          0













                                          First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.



                                          Also same time initiate the complain to take down the site and stop spread of data on internet.



                                          These are important. First protect your business. Later you can go for legal proceedings on the person.






                                          share|improve this answer

























                                          • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                            – Thomas Weller
                                            Aug 12 at 19:14















                                          0













                                          First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.



                                          Also same time initiate the complain to take down the site and stop spread of data on internet.



                                          These are important. First protect your business. Later you can go for legal proceedings on the person.






                                          share|improve this answer

























                                          • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                            – Thomas Weller
                                            Aug 12 at 19:14













                                          0












                                          0








                                          0







                                          First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.



                                          Also same time initiate the complain to take down the site and stop spread of data on internet.



                                          These are important. First protect your business. Later you can go for legal proceedings on the person.






                                          share|improve this answer













                                          First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.



                                          Also same time initiate the complain to take down the site and stop spread of data on internet.



                                          These are important. First protect your business. Later you can go for legal proceedings on the person.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered Aug 12 at 14:09









                                          Mahesh VMahesh V

                                          1011 bronze badge




                                          1011 bronze badge















                                          • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                            – Thomas Weller
                                            Aug 12 at 19:14

















                                          • "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                            – Thomas Weller
                                            Aug 12 at 19:14
















                                          "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                          – Thomas Weller
                                          Aug 12 at 19:14





                                          "Same time" rarely works for humans. Changing 1000s of leaked passwords may take a while, which is why I would initiate the takedown first, then start changing passwords.

                                          – Thomas Weller
                                          Aug 12 at 19:14

















                                          draft saved

                                          draft discarded
















































                                          Thanks for contributing an answer to Information Security Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid


                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.

                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function ()
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215025%2fex-contractor-published-company-source-code-and-secrets-online%23new-answer', 'question_page');

                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

                                          Circuit construction for execution of conditional statements using least significant bitHow are two different registers being used as “control”?How exactly is the stated composite state of the two registers being produced using the $R_zz$ controlled rotations?Efficiently performing controlled rotations in HHLWould this quantum algorithm implementation work?How to prepare a superposed states of odd integers from $1$ to $sqrtN$?Why is this implementation of the order finding algorithm not working?Circuit construction for Hamiltonian simulationHow can I invert the least significant bit of a certain term of a superposed state?Implementing an oracleImplementing a controlled sum operation

                                          Magento 2 “No Payment Methods” in Admin New OrderHow to integrate Paypal Express Checkout with the Magento APIMagento 1.5 - Sales > Order > edit order and shipping methods disappearAuto Invoice Check/Money Order Payment methodAdd more simple payment methods?Shipping methods not showingWhat should I do to change payment methods if changing the configuration has no effects?1.9 - No Payment Methods showing upMy Payment Methods not Showing for downloadable/virtual product when checkout?Magento2 API to access internal payment methodHow to call an existing payment methods in the registration form?