While testing a feature, you stumble onto a way to view other users' personal data that you weren't supposed to have access to. What do you do?
situational · Junior level · general
What the interviewer is really asking
Assess data-handling ethics and security instincts — whether the candidate stops, refrains from poking further, and reports a privacy/access flaw responsibly instead of exploring or staying silent.
What to say
- Stop immediately — don't keep clicking through or pull more records to 'see how bad it is'; you've already confirmed the flaw exists.
- Report it through the right channel fast: your lead and the security or privacy contact, with the exact steps to reproduce.
- Be careful with the data itself — don't copy, screenshot widely, or share it; capture only the minimum needed to prove the issue.
What to avoid
- Don't say you'd explore further to map out the full extent before reporting — that's more unauthorized access.
- Don't say you'd quietly note it and mention it later when it's convenient — an access leak is time-sensitive.
- Don't treat it as not your problem because you found it by accident or it's outside your area.
Example answers
Strong: I'd stop the moment I realized I could see data I shouldn't — I wouldn't click into more accounts to gauge the scope, because that's just more access I'm not authorized for. I'd note the minimal repro steps and report it right away to my lead and our security contact, framed as a potential access-control flaw exposing personal data. I'd avoid copying or sharing any of the data and let security decide the next steps; over-exploring a privacy hole can make a bad situation worse.
Weak: I'd check a few more accounts to understand how widespread it is, then write up a thorough report showing the full scope to my lead.