So they “broke into Reddit” back in February and contacted Reddit in April. After Reddit didn’t react they contacted them again a few days ago at this very opportunistic time.
They never specified exactly what kind of data they stole, nor did they prove it by providing samples.
For all we know this story could be entirely made up and they actually have nothing.
But even if they have something, them trying to come across as the good guys in this is so weird to me. No, you’re not the good guys. You are criminals.
February? Then I believe they have obtained a full copy of all posts and comments on the site. /s
(For those who don’t get the joke: https://github.com/Watchful1/PushshiftDumps - full dumps of all Reddit data up to February exist, and I think archive.org has the March file too)
They may be the bad guys, but they’re not necessarily bad guys
“I believe you find life such a problem because you think there are good people and bad people. You’re wrong, of course. There are, always and only, the bad people, but some of them are on opposite sides.”
Is it weird that I kind of want both groups to lose out here?
The enemy of my enemy is also my enemy.
Maxim 29: The enemy of my enemy is my enemy’s enemy. No more. No less.
-The Seventy Maxims of Maximally Effective Mercenaries
It’s enemies all the way down
Always has been.
I want the API changes reverted as much as any other Reddit refugees here, but I can’t stand behind this kind of malfeasant extortion.
Not only is it blatantly obvious they’re using the API change rhetoric as a means of irritating Reddit into giving them their hush money, it also avts towards delegitimising all protest efforts made by the Subreddits thus far
While I agree with you, it’s also hard for me to feel bad for Reddit in this scenario.
I think it’s not relevant to our cause either way and it’s something that will be forgotten about eventually even if whatever data gets leaked publicly.
We just gotta focus on making Lemmy better and more desirable.
deleted by creator
But as the text says, this extortion began 5 days before the API changes were even announced. These criminals don’t give a f*ck about the API and threaten to leak the data of those same users they’re claiming to protect.
I think we should just ignore this, because it’s a distraction for public pressure and will only make Reddit look better - either by delegitimising the protest or by making them look like a victim instead of the perpetrator they are.
deleted by creator
I’m going to say what you did, more diplomatically:
While I don’t condone extortion via hacking or any other means, I acknowledge that Reddit and its’ dysfunctional, incompetent corporate culture - with Huffman at the top - brought this development upon themselves.
deleted by creator
Karma IS a bitch, but I for one am still not going to stand behind illegalities like this. It’s not the way.
As I said before, these hackers don’t care. The grandstanding is their way of getting attention off the backs of the protests. All supporting these criminals does is delegitimise the real protest by making Reddit look like the victim.
That aside, even from a practical standpoint this wouldn’t work longterm. If extorted into backpeddalling, Reddit will just quietly up their data security, and once they’ve made sure the threat of a leak is dealt with, they’ll go right on back to the API change.
deleted by creator
Ooh ThE rEdDiT fIlEs I can only hope it’s more interesting than the twitter files
80gb? That isn’t too much but guess if it’s internal information and docs could be damaging to a public offering.
For context, based on historical pushshift data:
- 80gb zipped decompresses to ~1100GB of text data
- 80gb zipped would only be the most recent ~4 months of comments
They do indicate that the data they have is more valuable though, particularly pointing out how users are being tracked (GDPR alarm bells ringing) or censored.
Might be a single weird Bee Movie video meme as well.
Can you share the onion link here
Ransomware operators are scum and should not be trusted, let alone paid.
Agreed they definitely shouldn’t pay these guys.
unfolds chair
Yup. They absolutely shouldn’t pay, for decision theoretic reasons, but that doesn’t mean there won’t be interesting fireworks to watch.
I’ll be real curious if they have browsing data or subs tied to email addresses. How many .gov emails are subbed to nothing but fetish and porn subreddits?
This isn’t ransomware. This is standard blackmail.
Correct, but done by ransomware operators.
Not that this isn’t scummy but my understanding is that “ransomware” refers to software that locks a user or organization out of their systems until a fee is paid, generally my encrypting the disk.
This seems like a more traditional “hack” of a system where you get in and download data. Which makes threatening them is traditional blackmail.
The point is that Alphv is an operator of ransomware as a service (RaaS), specifically BlackCat, independent of whether they used ransomware in this specific attack (which it indeed doesn’t sound like).
Oh I see. I misunderstood the comment then. Thanks for the clarification!
I wonder if u/spez ordered this hack so he can back off and save face. Of course I don’t know the context but that’s the first thing that comes to mind.
Nah, reading this no this hack is personal. They hacked this site months ago and now they’re coming in here looking the heroes of the story? No, they were ignored. The hackers got pissed and now they’re using this as an opportunity to get back at reddit. So what, they got maybe a terabyte of decompressed data at most, and they want 4 million dollars? This feels like some script kiddies utilizing a bad situation after getting ignored, not a professional op.
Fuck spez, but this is not the way. Why even ask for money if they don’t expect Reddit to pay? That cheapens their cause.
Their cause is the money. Everything else is marketing.
Nah you’re not going to catch me rooting for a ransomware attacker
john-oliver-cool-sarcastic.gif
Put up or shut up
Is there any way to validate these claims?
No, haha. They also didn’t bother to check what was stolen, so they could have very well gotten 80G of memes.
I took that to mean no one at Reddit bothered to check what was stolen.
Likewise, to me I interpreted as “There was no attempt (from reddit) to find out what we took.”
How do people even know what’s been stolen? I know if someone logged into my server and copied stuff, they only way I’d know would be higher data usage.
Either server logs, or the hackers sending them part of the data they have to prove they’re ligit. I assume the latter would have happened if Reddit had shown any interest in negotiating.
I read that to mean Reddit didn’t try to identify the stolen data, rather than the exploitists. Is that right?
If Reddit were to reach out privately to this group, the first thing they’d probably do is ask for proof. It’s trivially easy to provide proof you’ve carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you’re not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users’ own private account info or Reddit issues a disclosure about the hack (which I’m pretty sure they’re supposed to do regardless).
Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don’t see that here, so for now there’s no reason to take them seriously yet.
Only $4.5 million? That amount seems kind of low if the data they have is as valuable as they say.
lol, ok. i mean, even if this is true (which, eh, maybe it is), I’m not really sure it’s worth what they’re asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there’s zero chance he’s going to give in to their demands.
i don’t expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it’s just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.
I wouldn’t give them a cent or negotiate at all either, and the public aren’t going to give a shit about how they’re being tracked.
