Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What to do when you learn someone's credentials have leaked?
7 points by southerntofu on Feb 18, 2022 | hide | past | favorite | 6 comments
How can i reach Gmail and other megacorps to let them know an account was probably compromised? These people don't even have a contact form...

Long story: So i was hanging out on this perfectly legit forum when a sketchy person started to ask if we could provide them 1TB storage that they could pay for but would rather go with a friendly transaction rather than through a business. Sounds nice so far, maybe a fellow FLOSS hacker has too much stuff to backup?

They claimed it was 1TB of logs which raised our suspicions but they said it was all legit and we could look through it they wouldn't mind. So we got a 2MB sample zip but inside were stolen credentials from a third person, as well as - you guessed it - malware named "Passwords.txt.lnk". It looks like the credentials were compiled by a malware called Redline.

So now i have tons of passwords for this poor 3rd party but no way to contact them to let them know they've been pwned. Any ideas? I thought about contacting gmail & others so they can probably SMS this person, but for most of those accounts i could not find contact info for the sysadmins or security team.

Going to the police is probably not gonna help and might get me and other friendly people in trouble for accessing this data in the first place so i'm not going for that. To be clear, i haven't tested any of these credentials but i'm assuming they're real since the usernames/passwords have some resemblance yet subtle variations.

What would you do?



If you OR the incident are in or involves US individuals or firms, US CERT would be a likely reporting point:

https://us-cert.cisa.gov/forms/report

You might want to reach out to the EFF (info@eff.org), or researchers such as Brian Krebs (contact form at https://krebsonsecurity.com/about/) or Troy Hunt (HaveIBeenPwnd, contact page including email: https://www.troyhunt.com/contact/).

It might also be wise to get personal and/or legal counsel to cover procedures and speak for you, which they can do without necessarily incriminating you.

Phil Venables is CISO Google Cloud:

https://www.linkedin.com/in/philvenables

https://www.bloomberg.com/profile/person/20055418


Additionally, if you are in Germany, the BSI CERT group is the way to go.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisati...

I was looking for something on a European level, but Europol seems to care only about money trails as far as I can tell from their website...

Also as previous comment said: get a lawyer. No, seriously, I mean it. The scapegoat game is harsh when someone on the other end reads the term "hacker" or "leak" because they (companies) fear blame and want to avoid it.


Some password managers (e.g. 1password) will check against HaveIbeenPwnd and warn users to change that specific password.


Reaching out yourself puts you in danger. Pass it on to a pro like dredmorbius suggested. Get legal counsel. You are already involved, don't make yourself a target for these mega corps to fuck. Your intentions may be noble but these companies aren't your friends. Do the right thing and wash your hands. Do not paint a target on your real name.


I would inform the forum you met the person on.

How would you inform the user in a useful way?

Directly.. no.. wouldn't work

Indirectly.. Log in to every account through tor. The user will get security notifications from many services which will trigger them to change their passwords


Asking for a friend, I presume :)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: