Some wild things I found exposed recently that I am actively trying to close down:

1) 🇺🇸 Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.

2) 🇺🇸 Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.

3) 🇳🇿 A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.

Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.

#cybersecurity #infosec #responsibledisclosure #threatintel #readyouremail

"How many times has ransomware hit you?"

"Yes"

#cybersecurity #threatintel #infosec #ransomware

A company contacted me to pick a charity in New Zealand to donate $500 as acknowledgment of the work I and others do on identifying and raising Security issues.

I chose https://ihaveadream.org.nz/ and just got confirmation the donation was made.

It's great to know my work managed to contribute to a donation that will help kids through education. ❤️

#cybersecurity #infosec #newzealand #donations #charity #kids

GoHighLevel is an All-in-One Platform that was exposing publicly every attachment you might have saved from your contacts.

Not exactly sure when I'll make a detailed post about this one as I'm still trying to get the company to fully fix their stupidity:

2 emails sent, 2 servers that they disabled listing but whoever listed them before can still access over 10 million files  0 replies to my emails or concerns even though I am 100% sure they were read.

#cybersecurity #infosec #gohighlevel #crm #dataleak #leak

Bug bounty program tips to avoid accountability:

Create a form on your website to report vulnerabilities and make it so every report is instantly added to a "private" non-disclosure program on Bugcrowd.

Now if the researcher wants to disclose anything you don't want to they'll have to risk getting banned.

Hint: I don't care at all about the account I created just to help AFTER I reported it. My post will come later this week 😂

#cybersecurity #infosec #scambounty #bugbounty #nondisclosure

Communication with companies is just great.

Alert the company their logging server currently allows anonymous access and is exposing over 8TB of data inc. customer PII, close the exposure and the ticket without any reply and send an automated survey asking how they did.

The domain sent on the reply is also for sale and not the company domain they use for the support email b2servicesou.com vs b2services.com

At least their loyal customers will be informed of the misconfig, right? 🤣

#cybersecurity #infosec

Vulnerability management compliance tip of the day:

Create a web page to report security issues: https://www.gohighlevel.com/security-response

Now make sure the email you provided doesn't accept emails so you don't have to deal with any report.

#cybersecurity #infosec #incidentresponse #gohighlevel