I came across customer data exposed, for a company I interviewed?

Question

I interviewed for an e-commerce startup company a month ago, I saw their ad on FB and was browsing their site and came across an API endpoint that was exposing potentially all customer's data, including name, email, phone, and full address.A little background about the company, they scheduled an interview with me. I was ready for the interview and the guy interviewing me wanted to reschedule the interview 5 mins after the interview time. I agreed to reschedule and had an interview at another time. But they never got back to me about how the interview went. I followed back up with them 2 weeks ago and they said I was not a good fit.What should I do now? What is the best course of action to inform them about this?

greenyoda · Accepted Answer

Did you actually try accessing the API endpoint to confirm that it was returning customer data? If so, you may have violated the federal law that forbids people from "exceeding authorized access" to a site. So unless the company has a formal "bug bounty" program that explicitly says that they're OK with people poking around on their web site, you should probably forget you ever saw this. Someone in the company might turn you over to the FBI to cover up their own mistakes. It's just not worth the risk. (Yes, people have actually been prosecuted over stupid things like this. Sorry, I don't remember the details of the case.)