Sungjoo Yoon ’27 has been recently referred to as the “Datamatch hacker,” but he’d rather you call him “bernie marx,” the pseudonym under which he published his Feb. 25 website, styled “the data privacy project.” It describes security vulnerabilities in the nationwide college matchmaking app Datamatch, which caused an uproar amongst Sidechat contributors and campus alike. An advocate for data privacy and protections, Yoon published self-reported Rice Purity Test scores of the Harvard freshman class, alongside their first and last initials to preserve anonymity in what he called an “ethical awareness project.”
Replete with 16 citations and zero capital letters, Yoon’s website also includes an open letter urging other Harvard students to be wary of their data: “we live in an era of big data. this is not something to be inherently afraid of, and it can actually be really cool. for example, keeping a gcal of ur exam dates or the birthdays of ur closest friends from home—that’s amazing. but the reality is that we live in a society…where dubiously-ethical governments and less-than-ethical corporations are looking to capitalize on this useful tool.”
Amid online allegations of aspirational political theatrics, comparisons to Mark Zuckerberg (who lived in Yoon’s current dorm room), and praise for whistleblowing, Yoon sought to set the record straight in an interview with the Independent.
Yoon’s suspicion of data mismanagement and manipulation arose during the beginning of the school year when he was exposed to a deluge of advertisements for Claim, a Sequoia-backed start-up that socially gamifies shopping for Gen Z with vouchers and cash back. “They’re obviously not just giving you free money. There is a catch to all of this. There is no such thing as a free lunch… Why would people sign up for this stuff?” Yoon went on: “People are really putting their data anywhere. And these are the future leaders of the world.”
His perspective was also transformed by liberal arts—specifically, taking Harvard Kennedy School and Government Department Professor Latanya Sweeney’s class “Technology and the Public Interest: From Democracy to Technocracy and Back” and reading The Age of Surveillance Capitalism by Shoshana Zuboff last semester. He described developing a deep fear of a future where corporations know everything about you—genetics, personal information, consumption patterns, and more—and exploit that knowledge to your detriment. “It wakes you up when you read that book about the potential for that [data] being weaponized against marginalized minority identities in a way that is incredibly pernicious.”
In response to apps like Claim, Yoon used platforms like Sidechat and Reddit to warn fellow students. “Don’t put your information into random websites that reserve the right to sell your data in their privacy policies.” He elects to search the internet with DuckDuckGo and Firefox instead of Google Chrome.
Yoon was tipped off about insecurities in Datamatch by anonymous members of Harvard’s “computing community” around a week ago. He workshopped his data privacy crusade with the counsel of his technologically “prodigious” 14-year-old brother. “He was my sounding board for the idea. He also played a really large part in processing the data in a way that was not visible to anyone else, was ethical, de-identified, and anonymized.”
Yoon, who describes himself as a “hobby coder,” and his brother were able to retrieve JSON files with people’s names, gender identities, Zodiac signs, Myers-Briggs Personality types, and of course, Rice Purity Test scores. Moreover, he mentioned that the Datamatch database was “completely vulnerable to SQL injections, which means that passwords and other very, very private data were available.”
Yoon shared that this was not the first time Datamatch left user data bare. “What people don’t realize is that this is not Datamatch’s first insecurity. Datamatch, a couple of years ago, had every user’s personal data inside their publicly available GitHub. It really never received any attention. I don’t even think The Crimson covered it. Because once you alert the people at the top, they go on hiding campaigns, right?” He is referencing an incident mentioned in Datamatch’s privacy policy, in which the platform was informed that in 2019 and 2020 their website had a potential security vulnerability. Yoon commented, “They admit to having had this exact flaw for years, but still didn’t fully change their architecture and built irresponsibly on top of it. There’s a reason the security community doesn’t tell companies directly and instead whistleblows through anonymized data demonstrations—so that it can’t just be glossed over like they clearly did for years.”
But Yoon stated he did not interrogate every data type accessible, such as passwords, places of residence, or preferences for the Crush Roulette feature, where users had the option to improve their odds of matching with a crush by submitting their name. Yoon expressed that he did not even know what the Crush Roulette data meant when he found the data vulnerability—he did not fill out a profile on the principle of minimizing personal data dissemination. “That was something we didn’t investigate. I didn’t know what that was. I’m not a user. I had no idea what that was until very recently.”
Once he had assembled his findings, Yoon tried to flag the vulnerabilities to two younger members of Datamatch. “I did attempt to reach out to a couple of people that I know at Datamatch. None of them responded.” He quickly clarified: “They were dismissive.” Thereafter, Yoon assumed the name “bernie marx,” referring to Bernard Marx from Aldous Huxley’s Brave New World, and published his website.
Datamatch responded to the data privacy project with an email to its users on Feb. 27, which stated: “We were informed about the vulnerability at 8:48 p.m. EST on February 25, 2024 and locked access to the APIs corresponding to these attributes by 9:30 p.m. EST. An hour later, we deleted all Rice Purity, MBTI, and Zodiac sign information to guarantee that others could not exploit it using the same method the report detailed. As of 3:15 a.m. EST on February 26, 2024, the website closed and all remaining APIs were disabled.”
But, the Datamatch team also made a request: “Moving forward, we ask that if you identify a security flaw, please contact us through the above channels so that we may fix the issue first.”
The ripples got back to Yoon quickly. “[I felt] overwhelmed. My intention was not to go public about who I was, that was the result of The Harvard Crimson pressure.” The Sidechat discourse surrounding Yoon exploded after The Crimson surfaced his identity, with many students calling his act a political stunt. His response? “It’s no secret that I am interested in politics. At the same time, I don’t understand how this would be connected to my political future. Once again, I was trying to keep this anonymous.”
Near the end of the interview, Yoon expressed disappointment. “I just thought I’d have a little more time for the point to sink in, and then for my identity to be the afterthought, but instead the order got flipped by The Crimson.”
“Yeah, I think the saddest part of this all is that the message got lost within the zeitgeist. My persona kind of became a cultural phenomenon. A lot of the message got diluted through that.” He lamented Sidechat “talking about the discourse and talking about the person, but not talking about the reason that the person or the discourse started in the first place.”
Despite these emotions, Yoon says he has no regrets.
“If I could figure out a way to drive the point home without having myself involved whatsoever, I would do it again,” Yoon said. “Once the attention economy runs dry in 48 hours, no one on Sidechat’s gonna be talking about this. What does need to last hopefully is that these brilliant people who go to Harvard who ultimately will become very successful product managers or United States senators remember that this is an issue that people need to care about.”
Mir Zayid Alam ’25 (mirzayidalam@college.harvard.edu) had a great Valentine’s Day.