• tojikomori@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    I’ve seen a few sites welcome the news with glee, as though Reddit’s leadership is going to be strongly affected. That’s childish and myopic. This is bad news for everyone.

    Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit’s users, e.g. people who’ve post risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or paired with their normal accounts via their IP or other common details. DMs and other private account details might contain addresses and other private or compromising information, too.

    If Reddit knew about the breach earlier and didn’t do their due diligence to alert users, then that’s further condemnation of their leadership and priorities, but it doesn’t undo the damage this might cause users.

    If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn’t, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.

    • ztb@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit’s users

      It likely already has. No honor amongst thieves. That being said, I don’t think they accessed any user data in the breach.

      If Reddit knew about the breach earlier and didn’t do their due diligence to alert users, then that’s further condemnation of their leadership and priorities, but it doesn’t undo the damage this might cause users.

      This would also be illegal under California state law, but I don’t think they would’ve done something that stupid. There are also exceptions, i.e if there was an active police investigation into the breach and it was determined that making the announcement could impede that investigation. I know this all happened in February though, and again I don’t think they would’ve been that dumb, since even back then I’m sure the IPO was front and center at Reddit HQ.

      Reddit confirmed the hack on Feb 9th 2023, and they were filing with the SEC all the way back in Dec 2021.

    • Phoeniqz@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      1 year ago

      From the article:

      We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.

      • SickIcarus@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.

        Because Reddit is known for being forthright and honest…

      • tojikomori@kbin.social
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        Yes but note the specific details of that assumption and their reasoning: it’s based on reddit’s announcement of the security incident a few months ago which starts:

        Based on our investigation so far, Reddit user passwords and accounts are safe…

        Now, look again at what BlackCat has promised in this leak:

        Instead, BlackCat is teasing such revelations as “all the statistics they track about their users,” and data concerning how Reddit “silently censors users.”

        80 GB of “statistics and data” about Reddit’s users is a lot. It may not contain raw IP addresses, but we know that IP matching is one of the ways Reddit catches sock puppets, so there may at least be a hash that could be used to identify accounts held by the same users.

        Am I going too far worrying about PMs and other details? Maybe. It really depends on the honesty and competence of BlackCat and Reddit, and the article author’s assumptions based on their statements.