75
votes
BlackCat claims to have hacked Reddit, and it is threatening to leak the data
Link information
This data is scraped automatically and may be incorrect.
- Authors
- Steve Bennett, Justin Luna, Hemant Saxena
- Published
- Jun 18 2023
- Word count
- 343 words
Not much new this time around compared to when the leak was addressed by reddit earlier this year:
https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/
The only development seems to be that they emailed reddit again demanding the same $4.5 million, but now also the reversal of the API-changes.
Does anyone know if this is legit, or just some mod impersonating the potential hacker?
Are you kidding me? That's karmic hilarity at its finest.
A nice "Oh and fire Spez" at the end would have been awesome.
Get Pao back. That would do the impossible and actually bring back a little trust in reddit. Frankly, they did her dirty as hell last time and I think she deserves the chance to be CEO for real, rather than as a scapegoat. I'm certain she can do a better job than Steve or Yishan.
She seems... reluctant.
By the way, why do we call Ellen Pao by name but Steve Huffman by handle? (i.e. u/spez)?
"Spez" is easier to say/type than "Steve Huffman". "Pao" is also short and easy to remember/say/type. No clue what her username is, or if she even had one.
u/ekjp, it's in the thread I linked.
Huffman may be harder to type than u/spez, but the latter makes him appear like "one of us", which clearly he is not.
Overinflated sense of self-regard. Childish. Petty in the extreme. Not nearly as intelligent as he thinks he is. Callous disregard for the consequences of poorly thought out actions.
Sounds like the median Redditor to me.
The law of abbreviations. The shortest thing to type tends to win on the internet because we are all at least a bit lazy. Same goes for words in common conversation, two syllables beats five. 'fuck /u/spez' also has some unfortunate alliteration that attracts people to it.
I think it's literally just that Ellen Pao got introduced to the community by real name (a "welcome to Ellen Pao, our new CEO" type post) while as founders Steve Huffman (And Alexis Ohanian) were interacting in the site in its early days where you'd just see their comments attributed to their username.
"Pass on the torch, Spez, you're no longer cut out for this kind of work" isn't too far off.
Should have increased demand to 44.5 million plus API reversal, then handed Apollo and RIF 20 million each for the "lulz".
That looks like a post on Blackcat's site, rather than an email, so it's definitely the group itself. I guess ransomware groups use Reddit too!
This is going to be a nothingburger. I’m calling it now.
Depends on what they stole from reddit. If they leak company emails so that users can see what corporate actually thinks of them, that could start the apocalypse.
Like when everybody discovered that Zuckerberg said "They trust me. Dumb fucks."?
Nothing will really change. The majority of users that are on reddit giving it money don't really care.
I think you're giving the users too much credit. Now that the major part of the protest is over, we're seeing that majority of redditors don't care what corporate thinks of them.
Reddit is so infested with bots I have a hard time taking the human users' temperature anymore. That's the astroturfing narrative - for all we know people are arguing with twenty LLM comment farms at this point. It would sure as hell piss me off, but I left five years ago so my threshold is clearly lower than most users.
There's definite and obvious astroturfing that kind of rolls in seasonally as events occur. The big one for the last year has been Ukraine. And ironically any actual humans arguing against the pro-Ukraine bots/shills/dupes get immediately called Russian shills. As if saying that they might want to cool it with the rhetoric about nuclear war being acceptable because Russia is so bad at maintaining equipment there's no possibility any of their nukes will work is taking Russia's side and not, you know, humanity's.
That's a real example that's happened multiple times, by the way, and not just to me.
This next election cycle is going to be interesting, if Reddit is still around for it in any meaningful way. There was plenty of astroturfing already in 2016 and 2020, but AI tools have gotten a lot better and a lot more accessible since then, and the various governments and NGOs that would want to spew propaganda have taken much stronger notice of social media, too. Especially reddit.
I can't avoid reddit completely, especially for programming purposes, but I'm perfectly happier to spend my time here instead.
And if I never have to log in again, I'd be fine with that.
True. We will see I guess. My guess is that it ends up being mostly innocuous stuff.
You are probably right.
I find this a bit alarming for several reasons.
Firstly, I have a difficult time trusting Reddit's admins. They reported a security incident four months ago but claim that no user data was accessed according to their initial investigation. I don't think KeyserSosa is the same kind of pathological liar as Spez, but if they did lie about this and it turns out that hackers got a shitload of confidential user data, they could be getting sued to oblivion.
Blackcat are claiming that they have 80 gigabytes (zipped) of dirt on Reddit. Is there any chance of this data being confidential, like email addresses stored in plain text, hashed passwords, private message history between accounts, etc? I feel like the repository of account data would likely dwarf the filesize of this leak? That's my second worry, by the way.
Thirdly, I fully believe that Reddit's admins are actively censoring users and harvesting tonnes of data on people, so I am positive that this leak is legit. Where this worries me is that this could be a full-blown dataclysm.
Yes, there is, and yes, I'd expect them to lie - but then I'm a cynic when it comes to IT. If the hackers had plenty of time to poke around before getting shut back out, they could have just about anything they wanted including salary information, bank account records, etc. If they release a history of user PMs... damn, what a shitstorm that will create. I've seen that play out before on other forums and it's pure acrimony. All the dirty laundry from every admin, mod, and user at once. That potentially includes data that reddit claims it deletes. It will become witch hunting season and redditors will lose their paranoid little minds sifting through it.
Any guesses on what is in the 80GB of zipped data that was taken? I'm curious if it's something particularly damning to reddit as a company, or data about their employees maybe? Since reddit users are anonymous and reddit doesn't store financial information or things like that I wouldn't think it would be anything dangerous to the users themselves.
The screenshot of the claim seems to imply it includes all of the data they collect on its users... which could be a particularly troubling revelation at this point, given everything else going on. I imagine they collect significantly more data about users through their official apps.
The official app asks for a whole lot of data to be collected, such as gender and age, health data, pretty much anything personal that an app can request is on there.
There have been tools for years that can figure out a lot about a user just by scraping the last 1000 comments. Here's one that's currently working, for example.
That's a third party tool hacked up by some rando who doesn't even work for the company. Imagine what Reddit itself knows about you. Or really any social media company.
Of course, but that doesn't make it better that the Reddit app collects much more data directly from your device that it has to.
Does reddit really need to know what weight I put into my health app for example? Or the fact that the Reddit app wants to be able to read and have the ability to delete text messages on Android? (I'm not making this up, the app is literally asking for this).
Oh, I'm not saying it's good. I'm saying it's terrifying.
Ah yeah, on that we agree!
Kinda scary really.
Imagine this combined with the AI tidbits that's been shared here recently. A customer service bot that can figure you out just by browsing data it collected.
They'll need to be a curb on what type of data is collected one day, if there isn't already.
Wow, that's a clever thing to steal, ngl
Their GDPR export implies they obtain exact IPs used for logins for a 2 year period, which is... Questionable under GDPR
Reddit doesn't exactly keep sensitive private data the way Facebook or even Twitter would. At its most damming it'd be internal employee information. Moderately concerning would be user passwords, but again: not much truly valuable account info to exploit But I imagine it's something super tame like private subreddit info or mod logs (assuming it's event legitimate).
I highly doubt they got access to credit card info or something truly damaging to a person outside of some small scale mod sabatoge.
Jesus, Reddit sure is burning down, almost cathartically so.
Just leak it already cowards, if they even have it.