E3 Expo Leaks The Personal Information Of Over 2,000 Journalists

E3 Expo Leaks The Personal Information Of Over 2,000 Journalists
Photo: E3 2019

A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.

The Entertainment Software Association, the organisation that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicised.

This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicised.

The existence of this document was first publicized in a YouTube video that journalist Sophia Narwitz posted to her personal channel on Friday night. In her video, Narwitz described how the file could be accessed: “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”

Again, the E3 website has since been updated to remove this link, but cached versions of the site do indeed show that a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers.


“Before even considering making this story public, I contacted the ESA via phone within 30 minutes of having this information,” Narwitz continued in her video. “Worried that might not be enough, I also shot off an email not too long after. On top of that, I reached out to a number of journalists to make them aware of this.”

One reporter who asked to remain anonymous told Kotaku that he had been one of the people Narwitz contacted before publishing her YouTube video. That reporter says that Narwitz told him she had first learned of the document’s existence because someone had emailed her anonymously to say that they had discovered it and downloaded the information.

After receiving this email, Narwitz purportedly then confirmed the file’s existence herself. The reporter who says Narwitz contacted him told Kotaku that he had cautioned Narwitz against publicising any information about this spreadsheet until after it had been removed by the ESA. That reporter then contacted an ESA representative himself.

After that, the direct link to the file was removed from the website. Unfortunately, the file itself was still accessible to anyone who knew the link or could find the Google cached version of the page.

Once the page containing the link to the file was removed, Narwitz published her YouTube video about the leaks, seemingly believing that the file was no longer accessible. Soon after that, users noted on social media that although the link to the file had been removed, the spreadsheet file itself was still accessible.

The anonymous reporter told Kotaku that he then contacted the ESA a second time and, at that point, the ESA deleted the file from its website. However, Narwitz’s video had already unwittingly publicised the existence and continued availability of the file, the contents of which continue to be shared online.

The ESA provided Kotaku with a statement about the leak. “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” it wrote. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organisation in past years.

Narwitz confirmed this timeline of events in an email to Kotaku. She also specified the extent to which she had attempted to verify that the spreadsheet was no longer available when she uploaded her initial video: “Before I even considered making a video I went through steps to confirm it wasn’t available. I had an internet archive search that revealed nothing, and the page had been 404’ed. Obviously it was still cached elsewhere, this I wasn’t aware of until the video had already spread.”

Narwitz went on to note that she “did consider removing the video,” but chose not to: “The reason I ultimately didn’t is because of my belief this file was about to leak in the coming week (it really was only a matter of time until it found its way to whatever websites would play host to it), and so being my video was warning people, I ultimately decided it was best to leave it up.”


  • I love how this article is written to make the person who reported this fuck up to be the bad person.

    And not the ESA.

    This file was public for ages. If not for Sophia this would have stayed up.

    Sophia is not at fault for you getting doxxed. The ESA is.

    You should be thanking Sophia, not attacking her like Jason schreier did.

    • It’s very clear how much the ESA fucked up here, they don’t get a pass.

      The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organisation in past years.

      And why bring Jason into this? He didn’t write the article. He’s on leave.

      As an aside, there’s established in the security community for how breaches and vulnerabilities are handled so the amount of damage can be minimised. That didn’t take place here, although I’m a little more forgiving in that instance because writing/reporting on games doesn’t equip you for that.

      • If you visit his Twitter you’ll see what I’m mentioning.

        I probably should have worded that sentence better because it makes it seem like I think Jason wrote it lol.

        • Eh, he’s on leave. Last thing we need is to be on people’s case when they’re on holidays. Work does enough of that to everyone already.

          • Jason is probably the biggest name journalist on kotaku. when he says something on twitter (regardless of current status, well unless he leaves permanantly or is fired) it reflects on kotaku as a whole.

            This can be fine when he writes good articles but, is also horrible when he rants on twitter. In this case he was the first kotaku responder and it has reflected poorly for the site and so taints any perceptions of other articles written here on the subject.

            is it right to blame him for an article he didn’t write or to put words in the mouth of the author? no. will it happen because of how prevalent he is? unfortunately.

          • It’s pretty fair to point out that posting something about this while the information was still publicly accessible is a major misstep. All Jason did was – rightly – point that out.

            Sophia isn’t responsible for the doxxing, nobody’s saying that, but reporters also take responsibility for how information disseminates. The right thing to do in this instance is report after the information is no longer publicly available; that’s standard procedure to minimise harm, which is one of the most codified rules of any journalist code in any territory.

            But everyone makes mistakes, and everyone learns. This sort of stuff doesn’t come up often. And Sophia, from what I can see, doesn’t work with a huge team or have a lot of staffers around that deal with this kind of stuff. So this will be a bit of learning, hopefully, and fingers crossed there aren’t too many prank calls and weird postal messages for the people on that list.

          • The problem here though is that actual bad actors likely already had the information. the people that would do actual harm already knew. these people affected need to know as soon as possible.

            if anything the best course of action would be to script an email response to all potentially leaked people that their information has been made publicly available and send them the link.

            Also respectfully journalistic code doesn’t mean anything to anyone not a journalist. if we think a part of the code is wrong then we aren’t going to agree that someone should follow the code. at least to the letter.

            I do agree this could have been handled better but, I don’t think Sophia is very wrong at all. specifically being called out by a number of journalists who don’t practice ethics either. if she has made a mistake many who called her out have done just as bad or worse. there is a reason a lot of media these days has a bad reputation.

            Anyway. I will say that in this case I don’t feel that Sophia deserves this backlash she’s getting I don’t think the author of this article or jason (for the most part at least) deserve backlash either. there is no obvious malice so I hope this doesn’t hurt anyone.

      • C’mon Alex, you know full well what a certain part of Australia Kotaku’s comment section is like. Any excuse.

    • Hell it’s even more devious. anyone with intent to damage people wasn’t going to publish the info. they’d spread it to interested parties but, that wouldn’t alert the people affected by it.

  • And to think the ESA wants paystubs from game dev employees to get the industry pass. What if those were leaked.

  • “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,”

    It’s stretching pretty hard to say that a file they had publicly available, and directly linked to on the page as a ‘website vulnerability’. If the file was just on a accessible server and you needed to know what you were doing to get it … sure … maybe.

Show more comments

Log in to comment on this story!