this post was submitted on 19 Jun 2023
4 points (100.0% liked)

Asklemmy

43811 readers
982 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
top 20 comments
sorted by: hot top controversial new old
[–] const_void@lemmy.ml 3 points 1 year ago (1 children)

Probably should've invested in better security instead of trying to chase tech trends like NFTs.

[–] gkd@lemmy.ml 1 points 1 year ago (1 children)

You mean the 100th award I could buy was starting to be overkill? /s

[–] const_void@lemmy.ml 2 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for the gold kind stranger! 🤮

[–] Luccajan@sh.itjust.works 0 points 1 year ago (1 children)

Thanks for the puke kind strager

[–] Royalish@lemmy.ml 1 points 1 year ago

Thanks for the thanks thanks thanks.

[–] gentleman@kbin.social 2 points 1 year ago

@Phoeniqz If Reddit is only announcing the hack now then that is very likely going to be a legal problem in a number of US jurisdictions, not to mention EU and others.

[–] njinx@lemmy.world 1 points 1 year ago

Sucks that they lumped API changes into their demands. This is going to make good-faith protestors look bad.

[–] atypicaloddity@kbin.social 1 points 1 year ago

It happened a while back and is just popping up again now because they're capitalizing on the Reddit drama. So I don't really have an opinion on them -- hacking bad, etc but I don't really care.

[–] farizer@kbin.social 0 points 1 year ago (1 children)

Hopefully they publish the data so we can add to the fediverse

[–] Phoeniqz@lemmy.dbzer0.com 1 points 1 year ago

The article says, the data supposedly contains information about Reddit's tracking system. I don't think we want that in the FediVerse

[–] FarceMultiplier@lemmy.ca 0 points 1 year ago (1 children)

No website is invulnerable. Since we know from Reddit's godawful official app they don't do development very well, no doubt the website also has vulnerable holes.

[–] PascalSausage@beehaw.org 0 points 1 year ago (1 children)

They didn't access the data through a vulnerability in the code, they phished some employee credentials and access it that way.

[–] FarceMultiplier@lemmy.ca 2 points 1 year ago (1 children)

That in itself is a vulnerability. In my company we check for impossible travel, browser variance, etc. Credentials are only one aspect of this.

[–] PascalSausage@beehaw.org 1 points 1 year ago* (last edited 1 year ago)

True, I just interpreted your comment differently to that.

[–] tojikomori@kbin.social 0 points 1 year ago (1 children)

I've seen a few sites welcome the news with glee, as though Reddit's leadership is going to be strongly affected. That's childish and myopic. This is bad news for everyone.

Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit's users, e.g. people who've posted risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or matched to their normal accounts via their IP or other common details. PMs and other private account details might contain mailing addresses and other private or compromising information, too. (Edit: as Phoeniqz points out in replies, the article author assumes this is not the case based on Reddit's and BlackCat's statements about the leak.)

If Reddit knew about the breach earlier and didn't do their due diligence to alert users, then that's further condemnation of their leadership and priorities, but it doesn't undo the damage this might cause users.

If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn't, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.

[–] Phoeniqz@lemmy.dbzer0.com 0 points 1 year ago* (last edited 1 year ago) (1 children)

From the article:

We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.

[–] tojikomori@kbin.social 1 points 1 year ago

Yes but note the specific details of that assumption and their reasoning: it's based on reddit's announcement of the security incident a few months ago which starts:

Based on our investigation so far, Reddit user passwords and accounts are safe…

Now, look again at what BlackCat has promised in this leak:

Instead, BlackCat is teasing such revelations as "all the statistics they track about their users," and data concerning how Reddit "silently censors users."

80 GB of "statistics and data" about Reddit's users is a lot. It may not contain raw IP addresses, but we know that IP matching is one of the ways Reddit catches sock puppets, so there may at least be a hash that could be used to identify accounts held by the same users.

Am I going too far worrying about PMs and other details? Maybe. It really depends on the honesty and competence of BlackCat and Reddit, and the article author's assumptions based on their statements.