asjmcguire
link
fedilink
11Y

Reddit has been going for like a billion years, and you only got 80GB - I mean even zipped, that can’t even be a fraction of the data surely?

@ddnomad@infosec.pub
link
fedilink
English
3
edit-2
1Y

Depends on what kind of data, if it’s mostly internal documents / dumps of whatever communication systems they use etc, it would not be too large (mostly because of retention policies on that software).

If it is actually the data straight from Reddit’s production databases, then 80GB does sound questionable. But then what kind of data are we talking about? Is it actually valuable?

Anyways, this is big (if true).

Trebach
link
fedilink
21Y

I could get 80 GB of Reddit data in a day. ArchiveTeam has uploaded 2.97 PB (1PB is 1024 TB or 1048576 GB) so far trying to back up all of Reddit to the Internet Archive and they’re still not finished!

internal documents, source code, employee data, and limited data about the company’s advertisers.

https://www.bleepingcomputer.com/news/security/blackcat-ransomware-gang-behind-reddit-breach-from-february/

So they “broke into Reddit” back in February and contacted Reddit in April. After Reddit didn’t react they contacted them again a few days ago at this very opportunistic time.

They never specified exactly what kind of data they stole, nor did they prove it by providing samples.

For all we know this story could be entirely made up and they actually have nothing.

But even if they have something, them trying to come across as the good guys in this is so weird to me. No, you’re not the good guys. You are criminals.

They may be the bad guys, but they’re not necessarily bad guys

Kaldo
link
fedilink
61Y

“I believe you find life such a problem because you think there are good people and bad people. You’re wrong, of course. There are, always and only, the bad people, but some of them are on opposite sides.”

February? Then I believe they have obtained a full copy of all posts and comments on the site. /s

(For those who don’t get the joke: https://github.com/Watchful1/PushshiftDumps - full dumps of all Reddit data up to February exist, and I think archive.org has the March file too)

Th4tGuyII
link
fedilink
211Y

I want the API changes reverted as much as any other Reddit refugees here, but I can’t stand behind this kind of malfeasant extortion.

Not only is it blatantly obvious they’re using the API change rhetoric as a means of irritating Reddit into giving them their hush money, it also avts towards delegitimising all protest efforts made by the Subreddits thus far

deleted by creator

But as the text says, this extortion began 5 days before the API changes were even announced. These criminals don’t give a f*ck about the API and threaten to leak the data of those same users they’re claiming to protect.

I think we should just ignore this, because it’s a distraction for public pressure and will only make Reddit look better - either by delegitimising the protest or by making them look like a victim instead of the perpetrator they are.

deleted by creator

niktemadur
link
fedilink
71Y

I’m going to say what you did, more diplomatically:

While I don’t condone extortion via hacking or any other means, I acknowledge that Reddit and its’ dysfunctional, incompetent corporate culture - with Huffman at the top - brought this development upon themselves.

Th4tGuyII
link
fedilink
21Y

Karma IS a bitch, but I for one am still not going to stand behind illegalities like this. It’s not the way.

As I said before, these hackers don’t care. The grandstanding is their way of getting attention off the backs of the protests. All supporting these criminals does is delegitimise the real protest by making Reddit look like the victim.

That aside, even from a practical standpoint this wouldn’t work longterm. If extorted into backpeddalling, Reddit will just quietly up their data security, and once they’ve made sure the threat of a leak is dealt with, they’ll go right on back to the API change.

deleted by creator

While I agree with you, it’s also hard for me to feel bad for Reddit in this scenario.

I think it’s not relevant to our cause either way and it’s something that will be forgotten about eventually even if whatever data gets leaked publicly.

Is it safe to assume that nothing comes of this… Just like every other “hacker group” pretending they hacked some major entitity for a good cause?

redcalcium
link
fedilink
111Y

Ransomware operators are scum and should not be trusted, let alone paid.

cowvin
link
fedilink
61Y

This isn’t ransomware. This is standard blackmail.

redcalcium
link
fedilink
1
edit-2
1Y

I’ll have more respect if the leak were done by disgruntled employees, but this attempt to leak is done by a ransomware operator who failed to extort them in the first place.

YMS
link
fedilink
31Y

Correct, but done by ransomware operators.

zalack
link
fedilink
11Y

Not that this isn’t scummy but my understanding is that “ransomware” refers to software that locks a user or organization out of their systems until a fee is paid, generally my encrypting the disk.

This seems like a more traditional “hack” of a system where you get in and download data. Which makes threatening them is traditional blackmail.

@red@feddit.de
creator
link
fedilink
31Y

The point is that Alphv is an operator of ransomware as a service (RaaS), specifically BlackCat, independent of whether they used ransomware in this specific attack (which it indeed doesn’t sound like).

gds
link
fedilink
41Y

Agreed they definitely shouldn’t pay these guys.

unfolds chair

Yup. They absolutely shouldn’t pay, for decision theoretic reasons, but that doesn’t mean there won’t be interesting fireworks to watch.

I’ll be real curious if they have browsing data or subs tied to email addresses. How many .gov emails are subbed to nothing but fetish and porn subreddits?

Nice plot twist. Soon we can write a book about all this… :)

Laille
link
fedilink
31Y

lol, fuck reddit, but do they expect us to cheer for them when they’re holding user data hostage? They can fuck right off too.

@cultsuperstar@lemmy.ml
bot account
link
fedilink
81Y

Only $4.5 million? That amount seems kind of low if the data they have is as valuable as they say.

BrooklynMan
link
fedilink
2
edit-2
1Y

lol, ok. i mean, even if this is true (which, eh, maybe it is), I’m not really sure it’s worth what they’re asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there’s zero chance he’s going to give in to their demands.

i don’t expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it’s just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.

Is there any information on what kind of data they stole? It’s a public forum with a lot of public data, it makes no sense that they negotiate about data that is already public.

tal
link
fedilink
41Y

Well, assuming that this is even directly related to the forum, as opposed to, say, email logs from the Reddit internal email server or something, things that might not be public:

  • Private messages between users.

  • Browsing data. I mean, maybe a user only posts on /r/politics, and that’s public, but spends a lot of time browsing /r/femdom or whatever.

  • IP addresses of users. Might be able to associate multiple accounts held by a user.

  • Passwords. While hopefully stored in a salted and hashed format, so they can’t be simply trivially obtained, they can still be attacked via dictionary attacks, which is why people are told not to use short and predictable passwords.

  • Email addresses (if a user registered one)

  • Reddit has some private chat feature that I’ve never used, which I imagine is logged.

redcalcium
link
fedilink
31Y

Reddit used to be open source and the password was hashed using bcrypt.

cowvin
link
fedilink
21Y

Well they mention Github artifacts in that message so it sounds like it’s more like they may have obtained source code and that sort of non public stuff.

Their code was open source until 2017 and it’s got progressively more dogshit for the end user since, I suspect if this is real it’s probably a bit juicier.

kosmicpulse
link
fedilink
31Y

Whether the data is with Reddit or the hackers, what difference does it make lol

GunnarRunnar
link
fedilink
11Y

Yep, kinda hard to give a fuck. I wonder though if anyone has used Reddit’s private message and other features for messages they wouldn’t want to be public.

And using an email address in any service, everyone should know by now there’s a good chance they leak at some point.

Or using phone numbers for 2FA… Reddit will deinitely make money off your user data, but there’s a world of difference between that and criminal scum like this.

80gb? That isn’t too much but guess if it’s internal information and docs could be damaging to a public offering.

For context, based on historical pushshift data:

  • 80gb zipped decompresses to ~1100GB of text data
  • 80gb zipped would only be the most recent ~4 months of comments

They do indicate that the data they have is more valuable though, particularly pointing out how users are being tracked (GDPR alarm bells ringing) or censored.

Might be a single weird Bee Movie video meme as well.

@sourcery@lemmy.one
link
fedilink
2
edit-2
1Y

I wouldn’t give them a cent or negotiate at all either, and the public aren’t going to give a shit about how they’re being tracked.

bumbly
link
fedilink
61Y

If it hurts the IPO, I’m all for it. My data on reddit is worthless anyway…

iAmTheTot
link
fedilink
41Y

Nah you’re not going to catch me rooting for a ransomware attacker

Create a post

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

  • 1 user online
  • 60 users / day
  • 170 users / week
  • 619 users / month
  • 2.31K users / 6 months
  • 1 subscriber
  • 3.28K Posts
  • 67K Comments
  • Modlog