• narc0tic_bird@beehaw.org
    link
    fedilink
    arrow-up
    86
    ·
    1 year ago

    So they “broke into Reddit” back in February and contacted Reddit in April. After Reddit didn’t react they contacted them again a few days ago at this very opportunistic time.

    They never specified exactly what kind of data they stole, nor did they prove it by providing samples.

    For all we know this story could be entirely made up and they actually have nothing.

    But even if they have something, them trying to come across as the good guys in this is so weird to me. No, you’re not the good guys. You are criminals.

  • Th4tGuyII@kbin.social
    link
    fedilink
    arrow-up
    80
    ·
    1 year ago

    I want the API changes reverted as much as any other Reddit refugees here, but I can’t stand behind this kind of malfeasant extortion.

    Not only is it blatantly obvious they’re using the API change rhetoric as a means of irritating Reddit into giving them their hush money, it also avts towards delegitimising all protest efforts made by the Subreddits thus far

      • BlueBockser@programming.dev
        link
        fedilink
        arrow-up
        28
        ·
        1 year ago

        But as the text says, this extortion began 5 days before the API changes were even announced. These criminals don’t give a f*ck about the API and threaten to leak the data of those same users they’re claiming to protect.

        I think we should just ignore this, because it’s a distraction for public pressure and will only make Reddit look better - either by delegitimising the protest or by making them look like a victim instead of the perpetrator they are.

          • niktemadur@kbin.social
            link
            fedilink
            arrow-up
            19
            ·
            edit-2
            1 year ago

            I’m going to say what you did, more diplomatically:

            While I don’t condone extortion via hacking or any other means, I acknowledge that Reddit and its’ dysfunctional, incompetent corporate culture - with Huffman at the top - brought this development upon themselves.

          • Th4tGuyII@kbin.social
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            But when that spanking both threatens the very users they’re claiming to fight for, and threatens to delegitimise all of those user’s and moderator’s protest efforts by giving Reddit a victimhood, I think it is downright stupid to cheer that on

      • Th4tGuyII@kbin.social
        link
        fedilink
        arrow-up
        17
        ·
        1 year ago

        Karma IS a bitch, but I for one am still not going to stand behind illegalities like this. It’s not the way.

        As I said before, these hackers don’t care. The grandstanding is their way of getting attention off the backs of the protests. All supporting these criminals does is delegitimise the real protest by making Reddit look like the victim.

        That aside, even from a practical standpoint this wouldn’t work longterm. If extorted into backpeddalling, Reddit will just quietly up their data security, and once they’ve made sure the threat of a leak is dealt with, they’ll go right on back to the API change.

    • ipkpjersi@lemmy.one
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      While I agree with you, it’s also hard for me to feel bad for Reddit in this scenario.

      I think it’s not relevant to our cause either way and it’s something that will be forgotten about eventually even if whatever data gets leaked publicly.

      We just gotta focus on making Lemmy better and more desirable.

        • zalack@kbin.social
          link
          fedilink
          arrow-up
          12
          ·
          edit-2
          1 year ago

          Not that this isn’t scummy but my understanding is that “ransomware” refers to software that locks a user or organization out of their systems until a fee is paid, generally my encrypting the disk.

          This seems like a more traditional “hack” of a system where you get in and download data. Which makes threatening them is traditional blackmail.

          • red@feddit.deOP
            link
            fedilink
            arrow-up
            10
            ·
            1 year ago

            The point is that Alphv is an operator of ransomware as a service (RaaS), specifically BlackCat, independent of whether they used ransomware in this specific attack (which it indeed doesn’t sound like).

      • HopeOfTheGunblade@kbin.social
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Yup. They absolutely shouldn’t pay, for decision theoretic reasons, but that doesn’t mean there won’t be interesting fireworks to watch.

        • PelicanPersuader@beehaw.org
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          I’ll be real curious if they have browsing data or subs tied to email addresses. How many .gov emails are subbed to nothing but fetish and porn subreddits?

  • totorohno@lemmy.one
    link
    fedilink
    arrow-up
    33
    ·
    1 year ago

    Fuck spez, but this is not the way. Why even ask for money if they don’t expect Reddit to pay? That cheapens their cause.

  • Laille@kbin.social
    link
    fedilink
    arrow-up
    32
    ·
    edit-2
    1 year ago

    lol, fuck reddit, but do they expect us to cheer for them when they’re holding user data hostage? They can fuck right off too.

    • cowvin@kbin.social
      link
      fedilink
      arrow-up
      36
      ·
      1 year ago

      Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don’t see that here, so for now there’s no reason to take them seriously yet.

      • bstix@feddit.dk
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        It would still be really easy for Reddit to say “nah homie, thats not our data” even if it is and even if Reddit knows that it is.

        How are the hackers able to verify that the data did come from Reddit?

    • red@feddit.deOP
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      No. If Reddit would negotiate with them, they’d probably leak small subsets as proof that they have actual data that isn’t available publicly. But with no negotiations, there’s not really any need for that.

    • vandrw@mander.xyz
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      No, haha. They also didn’t bother to check what was stolen, so they could have very well gotten 80G of memes.

        • BLÅHAJ@beehaw.org
          link
          fedilink
          arrow-up
          18
          ·
          1 year ago

          Likewise, to me I interpreted as “There was no attempt (from reddit) to find out what we took.”

        • I_Miss_Daniel@kbin.social
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          How do people even know what’s been stolen? I know if someone logged into my server and copied stuff, they only way I’d know would be higher data usage.

          • AtomicPurple@kbin.social
            link
            fedilink
            arrow-up
            8
            ·
            1 year ago

            Either server logs, or the hackers sending them part of the data they have to prove they’re ligit. I assume the latter would have happened if Reddit had shown any interest in negotiating.

      • waz@feddit.uk
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        I read that to mean Reddit didn’t try to identify the stolen data, rather than the exploitists. Is that right?

    • pitninja@lemmy.pit.ninja
      link
      fedilink
      arrow-up
      14
      ·
      1 year ago

      If Reddit were to reach out privately to this group, the first thing they’d probably do is ask for proof. It’s trivially easy to provide proof you’ve carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you’re not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users’ own private account info or Reddit issues a disclosure about the hack (which I’m pretty sure they’re supposed to do regardless).

    • postmeridiem@lemmy.antemeridiem.xyz
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      Money lol. If they do have it and reddit negotiates then they’ll probably expect to be offered a higher price for dropping the API demand. They are just upping the ante.

  • Rachel@derp.foo
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    Is there any information on what kind of data they stole? It’s a public forum with a lot of public data, it makes no sense that they negotiate about data that is already public.

    • tal@kbin.social
      link
      fedilink
      arrow-up
      25
      ·
      edit-2
      1 year ago

      Well, assuming that this is even directly related to the forum, as opposed to, say, email logs from the Reddit internal email server or something, things that might not be public:

      • Private messages between users.

      • Browsing data. I mean, maybe a user only posts on /r/politics, and that’s public, but spends a lot of time browsing /r/femdom or whatever.

      • IP addresses of users. Might be able to associate multiple accounts held by a user.

      • Passwords. While hopefully stored in a salted and hashed format, so they can’t be simply trivially obtained, they can still be attacked via dictionary attacks, which is why people are told not to use short and predictable passwords.

      • Email addresses (if a user registered one)

      • Reddit has some private chat feature that I’ve never used, which I imagine is logged.

    • cowvin@kbin.social
      link
      fedilink
      arrow-up
      13
      ·
      1 year ago

      Well they mention Github artifacts in that message so it sounds like it’s more like they may have obtained source code and that sort of non public stuff.

      • mobyduck648@beehaw.org
        link
        fedilink
        arrow-up
        11
        ·
        1 year ago

        Their code was open source until 2017 and it’s got progressively more dogshit for the end user since, I suspect if this is real it’s probably a bit juicier.

  • sourcery@lemmy.one
    link
    fedilink
    arrow-up
    18
    ·
    edit-2
    1 year ago

    I wouldn’t give them a cent or negotiate at all either, and the public aren’t going to give a shit about how they’re being tracked.

    • tal@kbin.social
      link
      fedilink
      arrow-up
      13
      ·
      1 year ago

      I kind of assumed that everything that could be logged was, and that it would be data-mined insofar as value could be extracted from it down the line.

    • Deestan@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Negotiating is futile. They can never prove beyond “trust me bro” that they deleted the data, nor that they kept it secret, so why would they actually follow up?

      Whatever they have, if it is good they have already sold it to several interested parties under the table, and they will continue to do so. This is just an attempt to grift out a bit of extra cash.

  • BrooklynMan@lemmy.ml
    link
    fedilink
    arrow-up
    13
    ·
    edit-2
    1 year ago

    lol, ok. i mean, even if this is true (which, eh, maybe it is), I’m not really sure it’s worth what they’re asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there’s zero chance he’s going to give in to their demands.

    i don’t expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it’s just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.