New top story on Hacker News: Ask HN: I found a pretty extreme data leak and I'm not sure what to do

Ask HN: I found a pretty extreme data leak and I'm not sure what to do
50 by Mo3 | 53 comments on Hacker News.
Long story short, through a bizarre chain of events starting from trying to hire a contractor online I have uncovered and have access to thousands of user credentials (email + CLEARTEXT password), associated addresses, company information, as well as associated active API keys for stock and crypto exchange accounts, millions of dollars in some, and to top it all off some of them even have withdrawal permissions. The nature of access is such that it is somewhat hard for bots to find, which I assume is the reason it seems untampered with, but I have not tried executing write operations so I have no idea if it may only be read-only access and bots had a field day on it already - I doubt it at this point. The database itself also contains admin credentials to an internal administration interface which HAS write permissions. Now, I'm obviously documenting this insanity to write a blog post over the next couple of days, but I'm seriously wondering what to do with this before anything else. As far as I see it, there are three options right now, 1) Contact the site owners themselves and let them know, but the... service they run seems shady, they are located in a country that starts with R and I worry that they might try to simply sweep it under the rug without informing their customers or doing nothing at all about it (if they are even still around, the last admin login in their system seems to be from March even though there are thousands of users still active) 2) Scrape off the email addresses and send emails to the affected individuals, warning them of the data leak, urging them to change their passwords and disable the API keys, however I worry that my emails either get routed to spam or ignored by a good amount of them 3) Nuke the data to prevent any future harm I'm super lost. I'm thinking about step 2.