Hacker News new | past | comments | ask | show | jobs | submit login
E3 accidentally leaks personal details of journalists, YouTubers and analysts (gamesindustry.biz)
75 points by Kye 78 days ago | hide | past | web | favorite | 48 comments

Might be more accurate, despite this being the headline, to change the title to “ESA accidentally leaks...”. The ESA is the trade organization that puts on E3 and the entity that is ultimately responsible for this.

While true, the leak was of a list of E3 attendees. The fact that it was of E3 attendees is the key fact. I tried different ways to fit ESA in while maintaining specificity, but all variations came out too long.

ESA instead of E3 wouldn't necessarily tell E3 attendees their information was leaked since not everyone knows the ESA puts it on. Personally, I've been around games all my life and had no idea.

Headlines are always a compromise. I think the author found a good one.

Definitely, just want to highlight the ESA as the organization responsible for people who might not be as familiar with the space.

Then we’d have to deal with a torrent of comments about the European Space Agency.

> The private details of 2,025 games industry journalists and video producers have been leaked online.

Leaking the details of a couple thousand people isn't just a regret. Hopefully as more details come forward ESA actually makes an effort to clean up their mess.

Worse, it's being alleged that they've known the information was publicly accessible for months now.



Only 2000? By Equifax logic ($31 million for 140 million cases), E3 can pay a few hundred bucks and move on.

Given the hate and threats video game journalists and YouTubers already get, I can’t imagine this will have a happy ending.

There was recently an incident of a FFXIV streamer being doxed and his (and his children’s) lives threatened for their stance on the latest FFXIV raids. There are some real psychopaths out there.

Hi there. I am trying to reach you to ask about sclerals. Would you DM please? gmail: vinhvlam

Are there any other enthusiast groups that are this toxic? I stopped associating with the hobby after GamerGate but in retrospect I should have stopped earlier.

Sports? Arguably massively more toxic. People being murdered over sporting events is a truly ancient phenomenon and even destabilized empires clear back into ancient times (Nearly Half of Constantinople was burned down to the ground in the Greens vs Blues Nika riots).

I've not heard of the Nika riots, but from a brief reading it seems that it was about a bit more than sports:

> The team associations had become a focus for various social and political issues for which the general Byzantine population lacked other forms of outlet


> Some of the senators saw this as an opportunity to overthrow Justinian, as they were opposed to his new taxes and his lack of support for the nobility. The rioters, now armed and probably controlled by their allies in the Senate...


As if video game controversies are untouched by politics. And murder in sports continues to this day even when there isn't an emperor to overthrow.

If you want to bring politics into sports, then i'll just say videogames are just as political as sports are, and the death count is still way way lower (hypothesis, but I'm pretty confident).

I'm not saying "Video game toxicity is not a problem." it is, it's a big problem. But lets dispense with easily disprovable hyperbole like "it's the MOST toxic enthusiast culture"

Very good comparison and similarities can be drawn between the target audience. Unfortunately gaming sees deaths too with swatting and what not

If you want to draw a rigorously serious comparison you need to mathematically compare audience sizes and base rates. Don't know how it shakes out but my money is definitely on sports, if for no other reason than that video game fans don't congregate in huge arenas with heavy drinking as often as sports fans do

Completely agree. Though I can see a future where gaming gives it "competition" in this area. Especially with esports on the rise. Multi million dollar prizes and loyalties forming around these teams.

I can't really think of any other event where people riot when they are on the winning side just because they are over-excited

Have you ever heard of European football? People are being killed routinely during opposing team fan "meetups". https://idrottsforum.org/alsio130118/ Raging kiddie gamers are a joke by comparison.

Lots of terrible examples to go around across the globe. A few years ago a woman who is a fan of the University of Alabama football team murdered another woman who was a fan of the same team. Why? Because the victim wasn't upset enough about the team they were both fans of losing a game earlier that day. So being a rival isn't even required for violence to happen. Heighten emotional states are inherently unstable.

People are being killed "routinely" for European football? That's simply ludicrous.

Yes, in Poland alone there has been ~one death every year.

2001 Opatów, 2003 Walichnowy, 2007 Kielce(knifed), 2007 Łódź(coma), 2011 Poddębice, 2011 Kraków, 2018 Prokocim(arm cut off with machete, body massacred with baseball bats, axes and hammers). Thos eI could find with a quick google.

Example clip from one https://www.youtube.com/watch?v=jKXOsC3ms7k train was emergency stopped in the middle of nowhere, other team was already waiting after being transported by shuttle buses. You can search "Ustawka" on YT for more.

7 deaths in 17 years is not routine.

This article https://krakow.onet.pl/krakow-wojna-gangow-lata-ktore-niosly... found 15 killings between 2002-2018.

Seriously. I can't think of any other group but not really looking that hard. And I love the medium. It's my go-to hobby. And like many here, I got into programming because I wanted to make my own games (still do)

I refuse to use the term/label "gamer". It's horrible. "Hardcode gamer" has turned into no true scotsman.

As others have said, European football. When I was a teenager you'd get stopped on the street by "hardcore fans" and asked which side are you on - answer incorrectly or not at all and you're getting a mild couple punches, or if they had a few drinks then a good kicking on the ground. When there was a major football match in town then the streets would become deserted - the opposing side's fans were 100% guaranteed to pour out of the stadium and look for a fight with anyone. It would get incredibly brutal and people sometimes died. There's a reason why buses of football fans of some clubs are heavily escorted by the police whenever there is a match.

Yes. A film fan shot the president.

Politics, money, fandom, competition... These things will create toxicity.

Does anyone know the technical details of how this happened? Did someone just run a spider on the e3expo.com site and find the publicly accessible URL that way, or did they do something more advanced?

There was a direct link to the excel file on the "Helpful Links" page of the E3 Expo site.

The OP says:

>"Unfortunately, a vulnerability was exploited and that list became public." //

If it was just a link to a file on the website them claiming a vulnerability was exploited is like saying "my security system was overcome" if I dropped my wallet on the bus.

Based on the ESA statement it’s probably a case of hanlon's razor where they have nobody on-staff to do a proper incident response. They also said they “shut down the site”, which really meant they removed/hidden the page in WordPress but they didn’t remove the culprit file nor did they take down the E3 website.

What's worse is that there was basically no reason for this leak to be possible. I mean, it was apparently a list of all people who'd successfully received a press pass for E3 2019. The leak was in the form of an Excel spreadsheet with that info hosted on their server.

So why was it even there? It's not the database they're using on the site; from what I've read that's a standard WordPress install. And the spreadsheet was unlikely to be needed outside the organisation itself.

Hence the ideal thing to do would have to be to somehow tie the WordPress DB into whatever system they were using. If that'd been done, the leak could never have happened in this way.

Alas they didn't, and by going with the old 'intern takes database details, puts them in a spreadsheet and shares around a link' method, exposed thousands of people's details online. It's basically a perfect case study for the dangers of ad hoc spreadsheet solutions and sharing 'private' links around to distribute customer info.

Either way, I wouldn't be surprised if someone did sue them under GDPR or what not at this point.

>So why was it even there?

>The list exists so that publishers and developers can invite analysts and media to events and private viewings that take place during the E3 show.

>We provide ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing.

Well they say it was password protected, but the file could apparently be downloaded without logging in at all:


And even if it was, it feels like this system was implemented in the worst way possible. Could have been a CMS function that generated the list once credentials were provided or what not.

The best solution for these 'accidents' is mandatory jail-time for the CTO.

Does this entity have dealings in Europe? If so it might be possible for GDPR to apply, and I can see this getting ugly if it does (as I believe it should, they should get massive fines for this).

GDPR would apply if the entity had personal information of European citizens.

> GDPR would apply if the entity had personal information of European citizens.

Not quite, merely having data on an EU citizen is not sufficient to invoke GDPR.

To clarify, article 3 of GDPR specifies that it applies to companies that market specifically to EU citizens or specifically monitor EU behavior of their customers. https://gdpr-info.eu/art-3-gdpr/

This is taken by many to broadly mean that when an EU citizen purchases something by (for example) a US company where the product is marketed only to US citizens, GDPR does not apply.

For example: https://www.gdpreu.org/the-regulation/who-must-comply/

“May be insufficient evidence [if] The firm’s website is accessible to EU residents”

> GDPR specifies that it applies to companies that market specifically to EU citizens or specifically monitor EU behavior of their customers

Does that mean that if you market to the world (i.e. anyone who might hit the site, making no mention of world nationalities) but not specifically to the EU (i.e. You make no mention of anything specific to the EU in any part of a site and you don't differentiate them in any way from non-EU users) then the GDPR doesn't apply?

The best advice if you intend to market something globally, and either comply with or avoid GDPR regulation -- either way -- is to hire a lawyer or a firm who has actual GDPR expertise.

My understanding from reading the GDPR text and multiple law firm and FAQ summaries is that GDPR applies to marketing specifically to the EU. The text of Article 3 is clearly stating that GDPR doesn't apply to everyone in the world, and doesn't apply for the sole reason that EU residents purchase something globally. But, the wording is also vague, GDPR has been widely criticized for it's lack of lack of specifics.

Personally, I currently believe that if you do not mention EU, do not market to the EU specifically in any way, and do not track or separate EU related data from global data, then GDPR may not apply. Marketing globally may not be sufficient to require GDPR compliance. But, it might also be easy to cross that line by doing something as simple as using Google Analytics, where it shows you behavior per region, so might be considered tracking EU activities. I don't know where the line is, so hire a GDPR lawyer.

Market doesn't mean advertise, it means to bring products to market, so yes, bringing products to market for the world is also bringing them to market for the EU.

> Market doesn't mean advertise

Broadly speaking, the verb "to market" does mean "to advertise or promote" (try Googling "define market", and see the verb definition).

> so yes, bringing products to market for the world is also bringing them to market for the EU.

While that's true in a sort of technical sense, the GDPR text explicitly contradicts the notion that failing to restrict EU citizens from buying something amounts to requiring GDPR compliance.

I see. Has it been challenged ? I think a European citizen buying certain kind of products (pharma for instance) and then ending up in a marketing or adtech database means GDPR would apply (because of the monitoring for retargeting purposes for instance).

Agreed, a pharma purchase might amount to requiring GDPR compliance, not just for tracking, but also due to regional and international regulation on pharma products.

I also agree that general tracking might unintentionally cross the line and turn into EU specific marketing, it does seem like most web analytics these days is geared for identifying regional differences and that that would count as monitoring EU behavior.

GDPR is still in flux and being updated, but I don't know what's been tested in court. Best advice is to seek expert counsel.

They have.

How do you know that (not in the article) and are European citizens on the list ?

With 2000+ people on that list the chances are pretty high there's at least one European included. At least this Dutch video game journalist complained on Twitter about his data being out there: https://twitter.com/tweakjur/status/1157609578143649792

Ah, thanks for that follow-up ^^.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact