this post was submitted on 19 Jun 2023
25 points (100.0% liked)

Asklemmy

43940 readers
484 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
top 38 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 1 year ago (1 children)

Probably should've invested in better security instead of trying to chase tech trends like NFTs.

[–] [email protected] 13 points 1 year ago (1 children)

You mean the 100th award I could buy was starting to be overkill? /s

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for the gold kind stranger! 🤮

[–] Luccajan 8 points 1 year ago (1 children)

Thanks for the puke kind strager

[–] [email protected] 5 points 1 year ago (1 children)

Thanks for the thanks thanks thanks.

[–] [email protected] 2 points 1 year ago

May I gift you a Guilded Reddit Gold NFT Snoo Platinum Anniversary edition for only 50 USD?

[–] [email protected] 8 points 1 year ago (1 children)

No website is invulnerable. Since we know from Reddit's godawful official app they don't do development very well, no doubt the website also has vulnerable holes.

[–] [email protected] 3 points 1 year ago (1 children)

They didn't access the data through a vulnerability in the code, they phished some employee credentials and access it that way.

[–] [email protected] 5 points 1 year ago (1 children)

That in itself is a vulnerability. In my company we check for impossible travel, browser variance, etc. Credentials are only one aspect of this.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

True, I just interpreted your comment differently to that.

[–] [email protected] 6 points 1 year ago (2 children)

@Phoeniqz If Reddit is only announcing the hack now then that is very likely going to be a legal problem in a number of US jurisdictions, not to mention EU and others.

[–] [email protected] 3 points 1 year ago (1 children)

I'm not so sure tho, as no user data was affected.

[–] [email protected] 3 points 1 year ago (1 children)

@Phoeniqz

@gentleman

My read was that BlackCat only got non-prod data. So perhaps it's sourcecode.

In which case.. they've likely got nothing of value other than the code used to track users.

[–] [email protected] 0 points 1 year ago (1 children)

@dismalnow having the code out there that Reddit uses to track accounts doesn't give me warm fuzzies. I'm not a technical guy but it seems that it would be better if that code had not been hacked and put in the hands of people with malicious intent. I have to defer to others on whether the hack compromises Reddit users' security.

[–] [email protected] 0 points 1 year ago (1 children)

@gentleman

it would be better if that code had not been hacked and put in the hands of people with malicious intent.

And if a frog had wings...

Now that it's out, it's best for affected parties to try to determine if immediate action is required to reduce damage to themselves via reddit's mistake - and all we have is a preliminary, and likely heavily redacted report from the company foolish enough to have allowed itself to get hacked.

So far the information points to non-production data. But the truth is that nobody knows the full scope of egressed data until BlackCat proves it, or reddit runs the fastest penetration forensics team EVER.

Therefore, it's unlikely to be user information of substance unless you e been uploading photos of your taint, connected your work email address, and have pm'd your credit card number to people.

[–] [email protected] 1 points 1 year ago

@dismalnow Maybe I should try that before I delete my Reddit account...at least the taint part. A parting gift to F u/spez. I think you proved my point. There a lot of people that read the revised terms of use and privacy policy when those came out and have an appreciation of the ramifications, but I suspect that a sizable percentage of Redditors do not. So as we are both no doubt are aware there are data-brokers that will piece together information in what we used to call a "mosaic approach" to create a profile - which is in part the cause for my concern.

@Phoeniqz

[–] [email protected] 2 points 1 year ago

Reddit announced it in February shortly after it was uncovered, the group that allegedly exfil'd the data has just started making threats now.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

If you think this will change anything at Reddit, think again.

Reddit will not pay them or meet their demands. If they do reverse any of their API changes, it won't be because of this. Businesses can't been seen to be caving to ransomware groups and rightly so, as it just encourages more of these types of attacks. ALPHV is 100% trying to cash in on the current resentment towards Reddit and it shows.

We also don't know what exactly has been accessed, as neither the group nor Reddit will confirm beyond Reddit stating that no production systems or user data was accessed. It could be 80GB of cat GIFs for all we know - I'm going to need more evidence that they have something big than a screenshot of the attacker saying "trust me bro".

[–] [email protected] 3 points 1 year ago

Yeah, since the attack already happened in February, they just used this opportunity to make them look good ("they are doing something for the community"). However, I don't know, but it might affect stock when Reddit goes public.

[–] [email protected] 4 points 1 year ago (1 children)

Hopefully they publish the data so we can add to the fediverse

[–] [email protected] 3 points 1 year ago

The article says, the data supposedly contains information about Reddit's tracking system. I don't think we want that in the FediVerse

[–] [email protected] 2 points 1 year ago (1 children)

Sucks that they lumped API changes into their demands. This is going to make good-faith protestors look bad.

[–] [email protected] 3 points 1 year ago (1 children)

Crackpot idea: it's a false flag operation by reddit admins trying to sour protest support

[–] [email protected] 2 points 1 year ago

as it happened in February, I'm not so sure...

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I've seen a few sites welcome the news with glee, as though Reddit's leadership is going to be strongly affected. That's childish and myopic. This is bad news for everyone.

Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit's users, e.g. people who've posted risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or matched to their normal accounts via their IP or other common details. PMs and other private account details might contain mailing addresses and other private or compromising information, too. (Edit: as Phoeniqz points out in replies, the article author assumes this is not the case based on Reddit's and BlackCat's statements about the leak.)

If Reddit knew about the breach earlier and didn't do their due diligence to alert users, then that's further condemnation of their leadership and priorities, but it doesn't undo the damage this might cause users.

If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn't, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (2 children)

From the article:

We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.

[–] [email protected] 2 points 1 year ago (1 children)

Yes but note the specific details of that assumption and their reasoning: it's based on reddit's announcement of the security incident a few months ago which starts:

Based on our investigation so far, Reddit user passwords and accounts are safe…

Now, look again at what BlackCat has promised in this leak:

Instead, BlackCat is teasing such revelations as "all the statistics they track about their users," and data concerning how Reddit "silently censors users."

80 GB of "statistics and data" about Reddit's users is a lot. It may not contain raw IP addresses, but we know that IP matching is one of the ways Reddit catches sock puppets, so there may at least be a hash that could be used to identify accounts held by the same users.

Am I going too far worrying about PMs and other details? Maybe. It really depends on the honesty and competence of BlackCat and Reddit, and the article author's assumptions based on their statements.

[–] [email protected] 3 points 1 year ago

This is assuming that the group is telling the truth about what they found.

[–] [email protected] 2 points 1 year ago

That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.

Because Reddit is known for being forthright and honest…

[–] [email protected] 2 points 1 year ago (1 children)

Great. Fuck em and if they leak it EU citizens can sue the shit out of them :)

[–] [email protected] 3 points 1 year ago (2 children)

No user data was accessed according to Reddit.

[–] [email protected] 7 points 1 year ago (1 children)

according to Reddit

A super trustworthy source as we all know.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

In the absence of literally any evidence at all to the contrary, I'm inclined to believe them for now. They seem to have followed protocol on everything else from what I've read.

[–] [email protected] 1 points 1 year ago

I try to be skeptical until the whole story comes out. Neither party is particularly trustworthy but I have zero confidence in anything that reddit corporate says these days.

[–] [email protected] 2 points 1 year ago (1 children)

See, there is the problem, "according to reddit" they probably don't even know themselves currently. I don't believe them anyway.

[–] [email protected] 1 points 1 year ago (1 children)

They can 100% know what was accessed and what wasn’t. This didn’t just happen, it happened in February and their SOC team or an external company would have conducted a full sweep as they’re legally required to disclose what was breached in many of the territories they operate in, which they did four days after the incident took place. I know it’s on trend to hate Reddit right now, but it’s not some one man operation running on a dusty old server in a garage, it’s something like the 20th most visited website on the entire internet, and that comes with certain legal obligations. They know what they’re doing and clearly take this kind of thing seriously.

You don’t have to believe them, but there’s no proof that any user data was breached and they seem to have followed the proper protocols so far. Unless anything else comes out, I’m inclined to believe that they’re telling the truth, or at least not lying.

[–] [email protected] 3 points 1 year ago

When it comes to legal obligations... Reddit is currently very hard violating EU laws, they don't do shirt.

[–] [email protected] 1 points 1 year ago

It happened a while back and is just popping up again now because they're capitalizing on the Reddit drama. So I don't really have an opinion on them -- hacking bad, etc but I don't really care.

load more comments
view more: next ›