Forbes accidentally exposed ’30 Under 30′ winners’ private info, honoree finds
Forbes accidentally exposed ’30 Under 30′ winners’ private info, honoree finds
Forbes just discovered that not all recognition is welcome.
The publication behind the annual 30 Under 30 list, which Forbes calls “the definitive list of young people changing the world,” is itself receiving notoriety after one of its awardees discovered the site exposed a decade’s worth of private data. Jane Manchun Wong, a 2022 30 Under 30 honoree and security researcher recognized for (among other things) her ability to undercover hidden features in apps, said that the Forbes list exposed the emails and birthdates of all awardees — both past and present.
“I discovered a personal data exposure in Forbes 30 Under 30 Directory while looking for my entry, including ~4000 emails and ~7000 birthdates of the honorees over the past 10 years,” she wrote on Friday.
Wong explained over Twitter DM that she discovered the exposure on Dec. 2, and notified Forbes immediately. She said Forbes never directly responded to her disclosure.
“I didn’t get any response from Forbes in regards to the write up of this data exposure,” she wrote. “Nor did I frequently check when it got solved. But as of today, when I checked on the directory webpage, the data exposure has been resolved.”
We reached out to Forbes to confirm Wong’s statements, both about the exposure itself and the fact that Forbes failed to respond to her disclosure of it.
“Forbes was alerted that there was some information rendered deep in the JavaScript,” replied a spokesperson. “When we were notified, we took immediate action and quickly corrected the problem. To the best of our knowledge, the data was not accessed by anyone else.”
That the Forbes list is, by definition, a collection of notable people — past honorees include Miley Cyrus and Ethereum founder Vitalik Buterin, for example — makes this type of incident even more problematic. Exposed personal emails, along with birthdays, opens people up to targeted phishing campaigns.
“The personal data was publicly accessible before they fixed it,” Wong explained over DM. “So people other than myself could’ve accessed it. I hope no one with bad faith intent had accessed it though.”
If anyone less responsible than Wong did indeed access that data, then 30 Under 30 honorees may soon be on the receiving end of more than just accolades.
UPDATE: Dec. 10, 2021, 12:38 p.m. PST The story was updated to include comment from a Forbes spokesperson.