[BreachExchange] E3 Website Leaks Private Addresses for Thousands of Journalists

Destry Winant destry at riskbasedsecurity.com
Wed Aug 7 10:15:43 EDT 2019


Personal data of 2,000 journalists was found publicly accessible on a
spreadsheet on the website for popular trade show E3.

A YouTube content creator said that she has found a spreadsheet with
the names and addresses – including private residences – of more than
2,000 journalists and content creators on the popular Electronic
Entertainment Expo (E3) trade show’s website.

E3 2019, which took place this year June 11 to 13 in Los Angeles, is a
major trade show for computer and video-game products. The conference,
managed by the Entertainment Software Association (ESA), has
historically drawn more than 15,000 attendees. As part of the
conference registration process, members of the press are asked for
details including their names, emails, phone numbers and addresses.

On Friday, YouTube content creator Sophia Narwitz said in a video that
she had discovered a spreadsheet containing personal details for 2,000
show-goers open for the taking on E3’s website. All Narwitz had to do
was click a public link titled “Registered Media List.” Upon clicking
the link a spreadsheet was downloaded with names and personal, not
work, addresses.

“On a public link on the E3 website was a file with the private
addresses, phone numbers and names of over 2,000 journalists and
content creators. It has since been removed given I contacted the ESA,
but this is a massive breach of trust and privacy,” said Narwitz in
the YouTube video below, entitled “The Entertainment Software
Association just doxxed over 2,000 Journalists and Content Creator.”

Narwitz said she reached out to the ESA via phone and email before
disclosing the issue – and while she has not heard back from the ESA,
the information has been pulled and the link now returns a 404 error.

Employees from various news outlets, including Vice, gaming website
Polygon, movie content site IMDb and media company iHeartMedia, were
impacted, as well as streamers from YouTube and Twitch, said Narwitz.

One other company with employees who were impacted was gaming website
Niche Gamer, where Narwitz was formerly a senior staff writer; every
one of the addresses listed was a private residence, she confirmed.

The incident has drawn ire from journalists in the gaming community,
including Jonathan Barkan, editor-in-chief at horror movie news site
Dread Central. On Twitter, he pointed to a risk of the list “being
copy/pasted on sites where hatred is nurtured and cultivated.”

ESA did not immediately respond to a request for comment from
Threatpost. In a media statement made to other publications, it said:

“ESA was made aware of a website vulnerability that led to the contact
list of registered journalists attending E3 being made public. Once
notified, we immediately took steps to protect that data and shut down
the site, which is no longer available. We regret this occurrence and
have put measures in place to ensure it will not occur again.”

However, Narwitz stressed that implications for posting journalists’
private residence information online could be dire, and told listeners
that “for next year’s E3, you may want to re-think going.”

“There is no reason I should have been able to download this file, and
all it took was clicking a public link,” she said on YouTube. “The ESA
owes everyone some answers and if this data is to ever leak then they
sure…deserve to be held accountable. That they would put people at
risk in this capacity is beyond my understanding. I don’t know how
this occurred or why, and I don’t expect to get answers from them, but
I think the public and the press need to hold their feet to the flames
because this is simply inexcusable.”

More information about the BreachExchange mailing list