A YouTube content creator said that she has found a spreadsheet with the names and addresses – including private residences – of more than 2,000 journalists and content creators on the popular Electronic Entertainment Expo (E3) trade show’s website.
E3 2019, which took place this year June 11 to 13 in Los Angeles, is a major trade show for computer and video-game products. The conference, managed by the Entertainment Software Association (ESA), has historically drawn more than 15,000 attendees. As part of the conference registration process, members of the press are asked for details including their names, emails, phone numbers and addresses.
On Friday, YouTube content creator Sophia Narwitz said in a video that she had discovered a spreadsheet containing personal details for 2,000 show-goers open for the taking on E3’s website. All Narwitz had to do was click a public link titled “Registered Media List.” Upon clicking the link a spreadsheet was downloaded with names and personal, not work, addresses.
“On a public link on the E3 website was a file with the private addresses, phone numbers and names of over 2,000 journalists and content creators. It has since been removed given I contacted the ESA, but this is a massive breach of trust and privacy,” said Narwitz in the YouTube video below, entitled “The Entertainment Software Association just doxxed over 2,000 Journalists and Content Creator.”
Narwitz said she reached out to the ESA via phone and email before disclosing the issue – and while she has not heard back from the ESA, the information has been pulled and the link now returns a 404 error.
Employees from various news outlets, including Vice, gaming website Polygon, movie content site IMDb and media company iHeartMedia, were impacted, as well as streamers from YouTube and Twitch, said Narwitz.
One other company with employees who were impacted was gaming website Niche Gamer, where Narwitz was formerly a senior staff writer; every one of the addresses listed was a private residence, she confirmed.
The incident has drawn ire from journalists in the gaming community, including Jonathan Barkan, editor-in-chief at horror movie news site Dread Central. On Twitter, he pointed to a risk of the list “being copy/pasted on sites where hatred is nurtured and cultivated.”
https://twitter.com/JonathanBarkan/status/1157647221225086977
ESA did not immediately respond to a request for comment from Threatpost. In a media statement made to other publications, it said:
“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”
However, Narwitz stressed that implications for posting journalists’ private residence information online could be dire, and told listeners that “for next year’s E3, you may want to re-think going.”
“There is no reason I should have been able to download this file, and all it took was clicking a public link,” she said on YouTube. “The ESA owes everyone some answers and if this data is to ever leak then they sure…deserve to be held accountable. That they would put people at risk in this capacity is beyond my understanding. I don’t know how this occurred or why, and I don’t expect to get answers from them, but I think the public and the press need to hold their feet to the flames because this is simply inexcusable.”