Written on 2022-02-09
⚠️ This is not a how-to guide; this is just my experience, not advice to follow.
This is a social account of what I did and how I felt, rather than a technical description or CVE announcement. I’ll try to explain why I acted as I did and what I learned from the experience.
After Russia began invading Ukraine, French energy prices (and those elsewhere) started to rise substantially. I wanted to change my energy provider to get a better contract and began searching for a new one.
I chose a provider with attractive contract prices and started the subscription process, which asked for my IBAN. The problem was that my IBAN is Lithuanian (Revolut Bank), and the system wouldn’t accept it. I suspected it was a frontend verification issue because no request was sent to the server, so I forged a POST request to one endpoint, but it didn’t work.
Then I looked for other endpoints and saw a request like this:
POST /api/v1/Data
{
"email": "myredactedemail@florianhj.fr"
}
[
{
"firstname": "Florian",
...
}
]
When I made the request like this:
POST /api/v1/Data
{}
[
{
"firstname": "Florian",
...
},
{
"firstname": "Thibault",
...
},
...
]
I gained access to the entire database of all the company’s clients. I immediately recognized the danger: this exposed contracts, banking details (IBAN, BIC), and more.
This is just my experience; I’m not a security expert. You should contact organizations that can reach companies anonymously on your behalf. This was my first time, and I wanted to handle it myself to see how people react when you inform them their system is compromised.
I first tried to contact customer service as a regular client. It was difficult to reach a human. After explaining the issue (without sharing technical details), they said they would get back to me.
Later, I received a call from a call center manager. I didn’t want to disclose sensitive information about the data leak, as it could be very harmful in the wrong hands. The manager kept pushing for details, but I insisted on speaking to someone in charge, especially to share technical specifics. The manager was just doing their job, and it’s normal for call centers to filter calls and escalate important ones.
After a few hours without any update, I decided to contact the group directly. After explaining the situation again, they connected me with the DPO (Data Protection Officer).
Perfect! I finally had someone who could understand and act on the problem. After verifying their role on LinkedIn (the least I could do), I shared the technical details.
To my surprise, the DPO was very calm and confident, but kept asking which company I worked for. When I explained that I work for an employee-benefit company, they struggled to understand that I was just a citizen trying to prevent a data leak. This point should be made clearer: you’re not a cybersecurity company, as they might expect.
The DPO said they would investigate and get back to me as soon as possible.
The subscription channel was quickly taken offline for “maintenance” to prevent further data leaks.
A few days later, the subscription funnel was still down. I received a call from the company’s General Director (which was quite surprising!). I had to explain again that I’m not a cybersecurity professional, just a concerned citizen. They found the problem and were working to resolve it. She offered me a promo code for their service, which I politely declined.
Honestly, it was a very stressful experience because I feared being accused of hacking. I was just trying to do the right thing, but the process was far from straightforward. The lack of a clear channel for reporting security issues as an independent person made everything more complicated and nerve-wracking.
If you ever find yourself in a similar situation, I strongly recommend reaching out to organizations that specialize in responsible disclosure. Acting alone can be risky, both legally and emotionally. Companies are often unprepared to handle reports from independent researchers or regular citizens, and you may not get the response you expect.
In the end, I’m glad the issue was resolved and that no data was leaked further. I learned a lot about the importance of responsible disclosure, the challenges of communicating with large organizations, and the need for better processes to protect both users and those who try to help.
If you discover a vulnerability, remember: your intentions matter, but so does your approach. Stay safe, act responsibly, and seek support if you need it.