No, the information we've shared with you comes from a misconfigured cloud storage account or other online resource that is being publicly shared with the world. We simply found it and are letting you know about it. Hackers will definitely use this data against you or your customers and may already be doing so. But we are not.

Did Sky Witness hack me, how did you get this data?

You don't. And that's OK. It's wise to be skeptical. You don’t need to trust us, or interact with us in any way. Just show the information we've provided to someone you do trust who's involved in Information Security or IT, and let them take it from there.

I'm skeptical, how do I know this disclosure you sent me isn't some kind of scam?

Frequently Asked Questions (FAQs) for Data System Owners Regarding Notification from SkyWitness

We get this response a lot. In 100% of the cases so far it's wrong. We look at hundreds of thousands of buckets and evaluate each disclosure by hand. We don’t waste our time alerting owners unless we're confident that some portion of the data located in the bucket is absolutely meant to be private.

Sky Witness is mistaken, my organization looked into it and the data you are referring to is public.

We aren't. We're searching across 11 billion publicly exposed files for sensitive data. When we find something interesting we then work backwards to identify the owner, not the other way around.

Why is Sky Witness targeting my organization specifically?

Absolutely, we're always happy to re-check or help validate, just reply to the original message we sent you.

We're pretty sure we've solved the issue, can Sky Witness recheck?

Generally speaking, we don’t have great ways to determine this. Your internal tools and logging are probably the best way to go about discovering this. Same for info about who may have accessed your data while it was public. Logging is your friend.

Thanks for the notification - can you tell us how long our data has been exposed?

We're serious about responsible disclosure. We only ever discuss findings in the abstract in our disclosure log and elsewhere, and we never name names or reveal details. You can take our word for it, but if you'd be more comfortable with the protection of a legal NDA, we're happy to accommodate. - In these cases we do ask to be compensated in the same way that you would compensate a legal representative to work with us. 

Thanks for the disclosure, but how can I be sure you aren’t going to tell anyone else about this?

Unfortunately this happens frequently. Usually it's a partner or developer or a subcontractor that has exposed a copy of your data, this can be a serious problem to track down. -That said, if it's your data, so it's your problem. Let us know how we can help.

THE DATA YOU PROVIDED BELONGS TO MY ORGANIZATION BUT WE'RE NOT THE ONES SHARING IT.

Can we interview you for our blog, podcast, news program, edgy zine, or overdue homework assignment? Sure, we can accommodate most of those requests. Drop us a line.

Do you do children's parties, or other media?

10.

Hey, we did what we could, if you want to share your own private data, we don't want to stop you. Just make sure the data is actually yours, because if you're sharing private information about others, we will not hesitate to notify them and cooperate fully with any legal action they may want to bring. 

Meddling kids! Mind your business Sky Witness. We're not going to fix it.

9.