
Ask HN: I came across customer data exposed, for a company I interviewed? - rakjosh
I interviewed for an e-commerce startup company a month ago, I saw their ad on FB and was browsing their site and came across an API endpoint that was exposing potentially all customer&#x27;s data, including name, email, phone, and full address.<p>A little background about the company, they scheduled an interview with me. I was ready for the interview and the guy interviewing me wanted to reschedule the interview 5 mins after the interview time. I agreed to reschedule and had an interview at another time. But they never got back to me about how the interview went. I followed back up with them 2 weeks ago and they said I was not a good fit.<p>What should I do now? What is the best course of action to inform them about this?
======
greenyoda
Did you actually try accessing the API endpoint to confirm that it was
returning customer data? If so, you may have violated the federal law that
forbids people from "exceeding authorized access" to a site. So unless the
company has a formal "bug bounty" program that explicitly says that they're OK
with people poking around on their web site, you should probably forget you
ever saw this. Someone in the company might turn you over to the FBI to cover
up their own mistakes. It's just not worth the risk. (Yes, people have
actually been prosecuted over stupid things like this. Sorry, I don't remember
the details of the case.)

