E3 Expo Leaks The Personal Information Of Over 2,000 Journalists [Update]

A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.

The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.

The existence of this document was first publicized in a YouTube video that journalist Sophia Narwitz posted to her personal channel on Friday night. In her video, Narwitz described how the file could be accessed: “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”

Again, the E3 website has since been updated to remove this link, but cached versions of the site do indeed show that a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers.

“Before even considering making this story public, I contacted the ESA via phone within 30 minutes of having this information,” Narwitz continued in her video. “Worried that might not be enough, I also shot off an email not too long after. On top of that, I reached out to a number of journalists to make them aware of this.”

One reporter who asked to remain anonymous told Kotaku that he had been one of the people Narwitz contacted before publishing her YouTube video. That reporter says that Narwitz told him she had first learned of the document’s existence because someone had emailed her anonymously to say that they had discovered it and downloaded the information. After receiving this email, Narwitz purportedly then confirmed the file’s existence herself. The reporter who says Narwitz contacted him told Kotaku that he had cautioned Narwitz against publicizing any information about this spreadsheet until after it had been removed by the ESA. That reporter then contacted an ESA representative himself. After that, the direct link to the file was removed from the website. Unfortunately, the file itself was still accessible to anyone who knew the link or could find the Google cached version of the page.

After the page containing the link to the file was removed, Narwitz published her YouTube video about the leaks, seemingly believing that the file was no longer accessible. Soon after that, users noted on social media that although the link to the file had been removed, the spreadsheet file itself was still accessible. The anonymous reporter told Kotaku that he then contacted the ESA a second time and, at that point, the ESA deleted the file from its website. However, Narwitz’s video had already unwittingly publicized the existence and continued availability of the file, the contents of which continue to be shared online.

The ESA provided Kotaku with a statement about the leak. “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” it wrote. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organization in past years.

UPDATE 8/3/19 4:00 pm ET: Narwitz confirmed this timeline of events in an email to Kotaku. She also specified the extent to which she had attempted to verify that the spreadsheet was no longer available when she uploaded her initial video about it: “Before I even considered making a video I went through steps to confirm it wasn’t available. I had an internet archive search that revealed nothing, and the page had been 404'ed. Obviously it was still cached elsewhere, this I wasn’t aware of until the video had already spread.”

Narwitz went on to note that she “did consider removing the video,” but chose not to: “The reason I ultimately didn’t is because of my belief this file was about to leak in the coming week (it really was only a matter of time until it found its way to whatever websites would play host to it), and so being my video was warning people, I ultimately decided it was best to leave it up.”

UPDATE 8/5/19 11:oo pm ET: On Monday, the ESA e-mailed a notice to people who attended the E3 convention in 2004 and 2006, stating that:

In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.

We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.