If you know about a breach that should be included on this site or need to contact me about another matter, e-mail me: breaches[at]databreaches.net
Alternate Email: breaches[at]protonmail[dot]ch.
You may also call me or contact me securely on Signal: +1.516.776.7756.
Twitter: @PogoWasRight
Mastodon: PogoWasRight
Other platforms available on request.
If You Get an Email from This Site or a Phone Call:
On a regular basis, I am contacted by researchers and asked to help notify companies or entities who have a data leak or breach that they do not know about. In such circumstances, I generally try email or a site’s on-site contact form if they have one. I may also use the phone. Sometimes, I may reach out to entities via LinkedIn or DM on Twitter. I am very determined when trying to alert an entity that they have a leak or a breach.
I understand that in this day and age, people are suspicious of what they might fear are phishing attempts. So look at the email carefully. You will not be able to tell anything about my location because of the email service I use, but I do include my phone number, and I use the same phone number for this site: +1 516-776-7756. Any email will likely come from the databreaches.net domain. If that domain is blocked by your system, I may try using breaches[at]protonmail.ch to reach you. In many cases, the emails will be signed with my real name. In some cases, they may just be signed “Dissent.”
Still uncertain as to whether it’s a phish? Contact me on Twitter where I am @PogoWasRight to ask if I emailed you or called you or contacted you on LinkedIn.
Please note that notifying you of your leak or data security problem is not my job. And it is not my job to keep trying to get through to you to make you realize you have a problem. If I have to keep trying, I tend to get testy. If you ignore attempts to alert you, I may start tweeting publicly about why your company isn’t responding to notifications.
You can help yourself avoid a PR or regulatory nightmare by ensuring that you have clearly displayed ways for people to notify you of any data security concerns and by training your staff to escalate notifications. If they are concerned that the notifications are fake or a potential scam, they should not click on any links, but they should still get a supervisor involved or someone who can pursue the notice to determine if it’s real.
I hope I never have to contact you, but if I do, I hope you take the notification seriously.
This page was last updated on December 23, 2020.