Is there any way to validate these claims?
No, haha. They also didn’t bother to check what was stolen, so they could have very well gotten 80G of memes.
How do people even know what’s been stolen? I know if someone logged into my server and copied stuff, they only way I’d know would be higher data usage.
Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don’t see that here, so for now there’s no reason to take them seriously yet.
If Reddit were to reach out privately to this group, the first thing they’d probably do is ask for proof. It’s trivially easy to provide proof you’ve carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you’re not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users’ own private account info or Reddit issues a disclosure about the hack (which I’m pretty sure they’re supposed to do regardless).
lol, ok. i mean, even if this is true (which, eh, maybe it is), I’m not really sure it’s worth what they’re asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there’s zero chance he’s going to give in to their demands.
i don’t expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it’s just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.
Is there any information on what kind of data they stole? It’s a public forum with a lot of public data, it makes no sense that they negotiate about data that is already public.
Well they mention Github artifacts in that message so it sounds like it’s more like they may have obtained source code and that sort of non public stuff.
Well, assuming that this is even directly related to the forum, as opposed to, say, email logs from the Reddit internal email server or something, things that might not be public:
-
Private messages between users.
-
Browsing data. I mean, maybe a user only posts on /r/politics, and that’s public, but spends a lot of time browsing /r/femdom or whatever.
-
IP addresses of users. Might be able to associate multiple accounts held by a user.
-
Passwords. While hopefully stored in a salted and hashed format, so they can’t be simply trivially obtained, they can still be attacked via dictionary attacks, which is why people are told not to use short and predictable passwords.
-
Email addresses (if a user registered one)
-
Reddit has some private chat feature that I’ve never used, which I imagine is logged.
Reddit used to be open source and the password was hashed using bcrypt.
Oooo, juicy. I’m looking forward to seeing how this goes down.
I wouldn’t give them a cent or negotiate at all either, and the public aren’t going to give a shit about how they’re being tracked.
I kind of assumed that everything that could be logged was, and that it would be data-mined insofar as value could be extracted from it down the line.
Negotiating is futile. They can never prove beyond “trust me bro” that they deleted the data, nor that they kept it secret, so why would they actually follow up?
Whatever they have, if it is good they have already sold it to several interested parties under the table, and they will continue to do so. This is just an attempt to grift out a bit of extra cash.