Hopefully they publish the data so we can add to the fediverse
Probably should’ve invested in better security instead of trying to chase tech trends like NFTs.
You mean the 100th award I could buy was starting to be overkill? /s
Thanks for the gold kind stranger! 🤮
Thanks for the puke kind strager
Thanks for the thanks thanks thanks.
This will make their IPO go down :D
Reddit will never financially recover from this if they go public
Sucks that they lumped API changes into their demands. This is going to make good-faith protestors look bad.
Crackpot idea: it’s a false flag operation by reddit admins trying to sour protest support
as it happened in February, I’m not so sure…
I’ve seen a few sites welcome the news with glee, as though Reddit’s leadership is going to be strongly affected. That’s childish and myopic. This is bad news for everyone.
Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit’s users, e.g. people who’ve posted risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or matched to their normal accounts via their IP or other common details. PMs and other private account details might contain mailing addresses and other private or compromising information, too. (Edit: as Phoeniqz points out in replies, the article author assumes this is not the case based on Reddit’s and BlackCat’s statements about the leak.)
If Reddit knew about the breach earlier and didn’t do their due diligence to alert users, then that’s further condemnation of their leadership and priorities, but it doesn’t undo the damage this might cause users.
If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn’t, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.
From the article:
We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.
That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.
Because Reddit is known for being forthright and honest…
Yes but note the specific details of that assumption and their reasoning: it’s based on reddit’s announcement of the security incident a few months ago which starts:
Based on our investigation so far, Reddit user passwords and accounts are safe…
Now, look again at what BlackCat has promised in this leak:
Instead, BlackCat is teasing such revelations as “all the statistics they track about their users,” and data concerning how Reddit “silently censors users.”
80 GB of “statistics and data” about Reddit’s users is a lot. It may not contain raw IP addresses, but we know that IP matching is one of the ways Reddit catches sock puppets, so there may at least be a hash that could be used to identify accounts held by the same users.
Am I going too far worrying about PMs and other details? Maybe. It really depends on the honesty and competence of BlackCat and Reddit, and the article author’s assumptions based on their statements.
This is assuming that the group is telling the truth about what they found.
Great. Fuck em and if they leak it EU citizens can sue the shit out of them :)
No user data was accessed according to Reddit.
See, there is the problem, “according to reddit” they probably don’t even know themselves currently. I don’t believe them anyway.
They can 100% know what was accessed and what wasn’t. This didn’t just happen, it happened in February and their SOC team or an external company would have conducted a full sweep as they’re legally required to disclose what was breached in many of the territories they operate in, which they did four days after the incident took place. I know it’s on trend to hate Reddit right now, but it’s not some one man operation running on a dusty old server in a garage, it’s something like the 20th most visited website on the entire internet, and that comes with certain legal obligations. They know what they’re doing and clearly take this kind of thing seriously.
You don’t have to believe them, but there’s no proof that any user data was breached and they seem to have followed the proper protocols so far. Unless anything else comes out, I’m inclined to believe that they’re telling the truth, or at least not lying.
When it comes to legal obligations… Reddit is currently very hard violating EU laws, they don’t know shit or think it’s ok to ignore (mainly spez does).
@Phoeniqz If Reddit is only announcing the hack now then that is very likely going to be a legal problem in a number of US jurisdictions, not to mention EU and others.
I’m not so sure tho, as no user data was affected.
My read was that BlackCat only got non-prod data. So perhaps it’s sourcecode.
In which case… they’ve likely got nothing of value other than the code used to track users.