Alphv ransomware group claims to have hacked Reddit, threatens to leak data unless money paid and API changes reverted
Alphv ransomware group claims to have hacked Reddit, threatens to leak data unless money paid and API changes reverted
So they "broke into Reddit" back in February and contacted Reddit in April. After Reddit didn't react they contacted them again a few days ago at this very opportunistic time.
They never specified exactly what kind of data they stole, nor did they prove it by providing samples.
For all we know this story could be entirely made up and they actually have nothing.
But even if they have something, them trying to come across as the good guys in this is so weird to me. No, you're not the good guys. You are criminals.
They may be the bad guys, but they're not necessarily bad guys
“I believe you find life such a problem because you think there are good people and bad people. You're wrong, of course. There are, always and only, the bad people, but some of them are on opposite sides.”
February? Then I believe they have obtained a full copy of all posts and comments on the site. /s
(For those who don't get the joke: https://github.com/Watchful1/PushshiftDumps - full dumps of all Reddit data up to February exist, and I think archive.org has the March file too)
I want the API changes reverted as much as any other Reddit refugees here, but I can't stand behind this kind of malfeasant extortion.
Not only is it blatantly obvious they're using the API change rhetoric as a means of irritating Reddit into giving them their hush money, it also avts towards delegitimising all protest efforts made by the Subreddits thus far
While I agree with you, it's also hard for me to feel bad for Reddit in this scenario.
I think it's not relevant to our cause either way and it's something that will be forgotten about eventually even if whatever data gets leaked publicly.
We just gotta focus on making Lemmy better and more desirable.
Ransomware operators are scum and should not be trusted, let alone paid.
Nah you're not going to catch me rooting for a ransomware attacker
If it hurts the IPO, I'm all for it. My data on reddit is worthless anyway...
lol, fuck reddit, but do they expect us to cheer for them when they're holding user data hostage? They can fucking right off too.
Is there any way to validate these claims?
Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don't see that here, so for now there's no reason to take them seriously yet.
It would still be really easy for Reddit to say "nah homie, thats not our data" even if it is and even if Reddit knows that it is.
How are the hackers able to verify that the data did come from Reddit?
No. If Reddit would negotiate with them, they'd probably leak small subsets as proof that they have actual data that isn't available publicly. But with no negotiations, there's not really any need for that.
If Reddit were to reach out privately to this group, the first thing they'd probably do is ask for proof. It's trivially easy to provide proof you've carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you're not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users' own private account info or Reddit issues a disclosure about the hack (which I'm pretty sure they're supposed to do regardless).
>reddit fucks over users
>hackers fuck over users
why do this?
Money lol. If they do have it and reddit negotiates then they'll probably expect to be offered a higher price for dropping the API demand. They are just upping the ante.
Is there any information on what kind of data they stole? It’s a public forum with a lot of public data, it makes no sense that they negotiate about data that is already public.
Well, assuming that this is even directly related to the forum, as opposed to, say, email logs from the Reddit internal email server or something, things that might not be public:
-
Private messages between users.
-
Browsing data. I mean, maybe a user only posts on /r/politics, and that's public, but spends a lot of time browsing /r/femdom or whatever.
-
IP addresses of users. Might be able to associate multiple accounts held by a user.
-
Passwords. While hopefully stored in a salted and hashed format, so they can't be simply trivially obtained, they can still be attacked via dictionary attacks, which is why people are told not to use short and predictable passwords.
-
Email addresses (if a user registered one)
-
Reddit has some private chat feature that I've never used, which I imagine is logged.
Reddit used to be open source and the password was hashed using bcrypt.
-
Well they mention Github artifacts in that message so it sounds like it's more like they may have obtained source code and that sort of non public stuff.
Their code was open source until 2017 and it’s got progressively more dogshit for the end user since, I suspect if this is real it’s probably a bit juicier.
reddit has private messaging and a chat feature as well.
john-oliver-cool-sarcastic.gif
Put up or shut up
lol, ok. i mean, even if this is true (which, eh, maybe it is), I'm not really sure it's worth what they're asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there's zero chance he's going to give in to their demands.
i don't expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it's just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.
Oooo, juicy. I'm looking forward to seeing how this goes down.
Reddit has been going for like a billion years, and you only got 80GB - I mean even zipped, that can't even be a fraction of the data surely?
Depends on what kind of data, if it’s mostly internal documents / dumps of whatever communication systems they use etc, it would not be too large (mostly because of retention policies on that software).
If it is actually the data straight from Reddit’s production databases, then 80GB does sound questionable. But then what kind of data are we talking about? Is it actually valuable?
Anyways, this is big (if true).
I'd be surprised if the data was just content. Memes and texts aren't particularly valuable.
However, data that can be used for tracking/developing user profiles such as what they're subscribed to, how active they are, and how they all link to one another is especially useful for conpetetitors and marketers. Plus any personal data such as emails and profiles. I wouldn't be surprised if you managed to get a huge amount of data under 80gb if it's just text (think how big a 80gb excel sheet would be)
internal documents, source code, employee data, and limited data about the company's advertisers.
I could get 80 GB of Reddit data in a day. ArchiveTeam has uploaded 2.97 PB (1PB is 1024 TB or 1048576 GB) so far trying to back up all of Reddit to the Internet Archive and they're still not finished!
80gb? That isn't too much but guess if it's internal information and docs could be damaging to a public offering.
For context, based on historical pushshift data:
- 80gb zipped decompresses to ~1100GB of text data
- 80gb zipped would only be the most recent ~4 months of comments
They do indicate that the data they have is more valuable though, particularly pointing out how users are being tracked (GDPR alarm bells ringing) or censored.
Might be a single weird Bee Movie video meme as well.
Whether the data is with Reddit or the hackers, what difference does it make lol
Yep, kinda hard to give a fuck. I wonder though if anyone has used Reddit's private message and other features for messages they wouldn't want to be public.
And using an email address in any service, everyone should know by now there's a good chance they leak at some point.
Or using phone numbers for 2FA... Reddit will deinitely make money off your user data, but there's a world of difference between that and criminal scum like this.
Ooh ThE rEdDiT fIlEs I can only hope it's more interesting than the twitter files
Can you share the onion link here
Only $4.5 million? That amount seems kind of low if the data they have is as valuable as they say.
Haha suck shit!
Realizes it's probably my data too.
Yeah. These guys aren't heroes. They're threatening to screw us.
I wonder if u/spez ordered this hack so he can back off and save face. Of course I don't know the context but that's the first thing that comes to mind.
Nah, reading this no this hack is personal. They hacked this site months ago and now they're coming in here looking the heroes of the story? No, they were ignored. The hackers got pissed and now they're using this as an opportunity to get back at reddit. So what, they got maybe a terabyte of decompressed data at most, and they want 4 million dollars? This feels like some script kiddies utilizing a bad situation after getting ignored, not a professional op.
I'm going with, no. Or, who cares? No biggie.
What onion address is that?
Is it safe to assume that nothing comes of this... Just like every other "hacker group" pretending they hacked some major entitity for a good cause?
I don't think the people who are still on Shittit will care.
Nice plot twist. Soon we can write a book about all this... :)
Is there any way to verify their claim? Have they released any data yet?