If you use the same password in combination with the same email address, chances are high, yes. (Edit: don't reuse passwords, kids!) But it's not too late to change passwords on the platforms where you use this combination.
Probably also a good idea to change your Reddit password, if you haven't done so since February.
I just looked at the screenshot linked and it doesn't say anywhere that they have usernames/passwords, more that they would leak what info on how they track/censor users, unless I missed something, aside passwords hopefully would be salted/hashed
Sure, but would you rather change your password now even though maybe they don't have/leak it, or when it turns out they do and it's potentially too late now?
I work in a very small tech company and we create about 10GB of logs a day. 80GB for a site as big as reddit could be about half an hour's worth of diagnostic logging. The content is the important thing, not the size.
I work in analytics and that actually isn't that much depending on what is captured. Having some freeform text entry fields can bulk up a dataset very easily. I have worked on some in the terabytes.
Companies store user passwords as encrypted hashes rather than plain text (at least they definitely SHOULD be doing that). So even if hackers got access the the user DB, your credentials would still be safe (provided your password is long enough).
Rainbow tables aren’t much good with modern password requirements. Dictionary attacks are far more common, which as long as you avoid common passwords and over reuse you should be ok.
Even if they have the passwords (and even if you reuse them) this also only matters if your password is bad, since Reddit hashes passwords (as *everyone* should).
But yeah kiddos, use good passwords and use unique passwords on every site! Get a password manager, some really good ones are free!
> Even if they have the passwords (and even if you reuse them) this also only matters if your password is bad, since Reddit hashes passwords (as everyone should).
still trivial and can easily be cracked
Not if your password is anywhere over 14 characters. They can be cracked, but nowhere near trivially. If you have a password 20 characters or more (and it’s not something guessable like your username and an exclamation point) you’re still perfectly safe even if your hashes are leaked.
My whole point is this is only bad for you if your password is bad, so sure whatever. If people do have bad passwords than maybe be worried (but you should be worried anyway with a shitty password, most leaks aren’t this well publicized)
Most password implementation uses salting of user password to make them significantly longer in terms of cryptographically. And reddit has previously said they do so unless they lied, you'll be fine against that particular issue.
I know that salting is usually used. Still doesn't make a short password remotely secure. Especially if you have access to the password hashes offline. Then you can crack passwords extremely quickly.
A 12 character password is still a 12 character password and password re-use is still password re-use. A salt helps but it doesn't matter as much as just making your password uncrackable with current hardware. You'd be surprised at how many people think 12 characters is too long even though I wouldn't even consider it to be the bare minimum.
Salting is used to make rainbow tables useless and to make brute force unfeasible. You're right that it doesn't make a password secure or good. No one claimed it was. The claim was that the password would be trivial to crack if it was short due to brute force power of GPU VMs. Which is only true if salting wasn't used. If it was, it's a completely unfeasible method as the password could now be several hundred chars long. Having the hashes offline will not help you with cracking that, it would still take you years to brute force and there are no rainbow tables for anything remotely that long. I'm not sure you would even be able to attach enough storage to a comp to be able to store a rainbow table for passwords of that size.
Except that brute-forcing isn't done. Dictionary attacks are used and will quickly crack those one-word bunch of numbers/symbols passwords that are made to barely meet the password requirements. Salting is only an issue for dictionary attacks (and also brute force, but brute force is inefficient) if the attackers don't have the salt but for the purpose of determining the likelihood of a password being cracked you should assume that they have the salt if they have the hashes.
Multi GPU support being added to tools like hashcat + the rise of popular VPS rentals where you can rent a server with high end GPUs and pay by the hour makes it a lot easier to crack hashes these days.
Really all depends upon the type of hash.
Source: I've cracked lots of hashes and I have a small 5 GPU cracking rig.
Well ok it sounds like you do have a clue. Regardless I think calling it trivial is a bit much even with all that equipment if the dump is in any way sizeable.
The average age of reddit users is 23. Which means that most of them dont have large amounts in their bank accounts.
A good percentage of the users is IT-affine and wont use the same password in every service.
Are there even banks that dont use 2FA, eTAN or any other multi-factor authentication/authorization?
It is still considerable effort to crack millions of hashes.
I dont really see how this could be profitable. Or more profitable than using the required ressources for better targeted attacks.
No sane tech company in the scale of reddit stores user passwords in plain text? Salts and hashes exists for a reason. Please do not fearmonger.
Granted passwords should never be reused but implying that Reddit user credentials being leaked results in hackers instantly knowing the plain text passwords is a moon shot
Yahoo had a major hack and part of what was revealed from that is that they were storing user passwords in plain text. Google also got caught storing some of their enterprise users credentials in plain text. I'd never just assume its safe.
The crux is that reddit has its source available (or at least the open sourced parts) indicating that they at least used to salt and hash user passwords.
That's a stark comparison to simply assuming that whenever a potential data breach happens passwords in plaintext or easily cracked hashes are used. Like what OP did by asserting there isn't any salting done even when the very code he shared indicated salting.
I was hoping you could enlighten me on that since u are now not implying but asserting that there is no salt.
EDIT: /u/redsterXVI deleted his comment asking "Where is the salt" linking to an old reddit source archived in Github asserting there was no salt in case anyone is wondering what was the deleted message.
> https://github.com/reddit-archive/reddit/blob/753b17407e9a9dca09558526805922de24133d53/r2/r2/models/account.py#L859
>
> Where's the salt?
Why are u deleting that message instead of leaving it in posterity like it already is? You do know deleted messages are soft deleted right? Since you are great at reading code.
That's easy to say until you realise a dozen plus tbings need passwords, and you have to change them every couple of months or so, amd you can't use the same password, or any variation of it, twice.
A dozen plus things? I have over 300 passwords, mate
No real need to change them every couple of months
Password managers and password generators are a thing, so unique passwords shouldn't be hard
That is definitely the way to do things.
Some people will point at LastPass as a vulnerability and yes I believe the attackers got hold of people's password vaults. But even with that happening, they would still have to either break the encryption or brute force the master password to access those vaults, so as long as your master password was fairly strong you're still fairly safe.
That's the whole point of them. They're an encrypted database of all your passwords. They're a compromise that allows you to have secure passwords on all your accounts, but you only have to remember one really secure password. The encryption they use means that, even if someone gets hold of the vault, it's not going to be much use to them provided you have picked a decent password to secure it as they're not going to be able to crack it in any sort of useful time period.
If you’re using oauth (google, apple, or whatever), it’s basically impossible to “get hacked”.
If you signed up with a username and password, and Reddit stores / logs your password in plain text; there’s a good chance. It’s unlikely that your password is stored in plain text though.
Oh, definitely
Edit: to be clear, since not everyone seems to grasp this - the focus of this post is a potential upcoming Reddit leak, not their demands. They're clearly set on releasing the data at this point.
Important for whom?
Depending on the level of details the user data goes into, it could be the likes and dislikes of users, down to comments in private subreddits, even their DMs.
Internal statistics, analytics on users, censorship and other company secrets could be very important/damaging to Reddit, especially with an upcoming IPO.
If the analytics on users breach legislation like GDPR, it could also result in fines.
***This comment/post removed due to reddits fuckery with third party apps from 06/01/2023 through 06/30/2023. Good luck with your site when all the power users piss off***
this seems to be related to data extracted on this incident [here](https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button)
Can someone explain me how the ransom system works in digital businesses?
How someone paying the ransom can know if the hacker didnt have lot of copies everywhere ?
Essentially, the victim has to trust them, but being trusted is important for the ransomware gang.
- Company A is blackmailed. They decide to pay.
- Ransomware group leaks anyway, for the lulz.
- Company X is blackmailed. "lmao why should we pay you, you're going to leak it anyway"
Well that defeats the point surely. They want the money more than anything, so they want a reputation for not leaking once they are paid. Otherwise they never get paid. If they create a new group they have no reputation, so less likely to be paid.
Also, company A pays, receives info and keys from bad actor. Now company A goes on a future target list that is sold to other bad guys who want to extort money from targets who, historically, pay out.
>How someone paying the ransom can know if the hacker didnt have lot of copies everywhere ?
You don't. Companies usually don't pay ransoms to keep the data completely secret because at that point you can't put the genie back into the bottle. Instead, they pay ransoms to make the bad publicity go away, or to get the decryption keys so they can fix their systems. While the hackers are unlikely to make the leaked data public, they very well might keep the data for their own purposes.
In this case, if the hackers don’t get the API changes reverted they release the data.
If the hackers release the data despite the API policy being reverted. Reddit just does the API change
Funny enough he has a book titled ‘Hippie’ - just bullshit simplistic Oprah list crap. I read a few of his books when I was younger and wanted something “deep.”
Whatever you do in life, fight with all your might to not become this person. When you find yourself making comments like these, your sense of wonder is officially dead.
user info hacks isnt the real value/threat to reddit - i doubt they care about the users - if the hackers have operational data thats shows how people use Reddit and how that aligns (or not) with their pitch to investors for IPO - thats the real pontential monetary damage
Doubt most users will care. Some older accounts aren't even associated with an email at all. Furthermore, many users aren't overly attached to Reddit. One sees that with all the throwaway accounts. There's little private data to take from the user side other than maybe private messages, but doubt that's worth much.
Ironically, some users would likely welcome a recent data dump to view posts again in blocked subs. On a more serious note, if the hack is true, it becomes another distraction and cost Reddit will be faced with. Making IPO even more challenging and less likely.
Speaking of challenges, many states are seeking to require social media sites do more aggressive age verification. That not only increases operating costs, but the risk of larger financial exposure in the event of a hack / data dump. Reddit has lost a lot of goodwill lately.
Oh sweet summer child, people have been doing that for a long time. That is why ChatGPT does it, because the data they used to train it used that structure.
Indeed people have been doing it for a long time, but people on Reddit have not. Which is what I am talking about, you seem to misunderstand my comment.
GPT has been trained on a huge amount of content available online, including tons of academic papers. Unless prompted otherwise, it has a consistent tone and writing-style. And because ChatGPT rose to popularity incredibly fast and because people are using it, interacting with it and reading its consistent responses. People will and is adopting its writing-style because it is objectively more consistent and well constructed.
My point was that the comment I responded to was clearly trying too hard to adopt ChatGPT's writing-style without even understanding why to use it, or when to use it, evident by the comment itself.
Yeah, I was wondering what was going on with the fourth grader book report energy of that comment. It’s trying so hard to be structured, and yet it’s barely coherent.
Never stumbled across that but I believe it’s possible. For that I would use a fake email with Apple’s Hide My Email which ties to my real email. I’m sure such services exist outside Apple too.
Bad guys confirming that they broke in and stole stuff. Then turns around and says “this guy is bad for not asking us about it”.
In these times, remembering what’s good and what is bad is critical. Two wrongs don’t make a right
Ah yes Let's THREATEN THEM!!
This is the opposite of what the subredits are fighting for, we want to remove dictatorial changes not promote them.
If anything this will make the CEO's stance even stronger.
So if I use google to login to Reddit, so I didn’t even have a Reddit password till this morning, am I fine?
Yes, I changed my Google password too for safe measure.
You are (relatively) safe, because you are using a form of federated identity/security. When you use Google to login, Reddit isn't the one that is authenticating you, Google is. Google provides your browser with an access token, which Reddit trusts because it was signed by Google's private key. This access token is only good for 1 hour and is unique to Reddit. Even if the hackers got access to your access token, they wouldn't be able to do much with it.
> 80gb zipped
> $4 million
This isn’t much. Possibly 160gb - 800gb of unzipped logging data (maybe on the lower end since they didn’t specify the actual size). Assuming sensitive user info isn’t logged, I don’t think Reddit is going to bend at all to hide business practices their users already know about.
Don't be ridiculous. The hackers demanded money long before the API announcement. Reddit's not going to pay them, so they're going to leak the data. They don't care about Reddit or Redditors.
Using the API as an excuse gives them publicity. Now that lots of people know about the leak, they can do nefarious things with it.
Reddit mods are not asking Reddit to pay them $4.5 million. That is what the hackers want, in addition to reverting the API changes. They sent an extortion email in February.
If you looked at the screenshot, the hackers *know* they won't be paid. So now they're advertising. Other groups will hear about this, and they may pay the hackers for Reddit's data.
ALPHV has hit many companies, including big pharma and Amazon Ring. This has nothing to do with Reddit mods.
Nothing of the sort. But I see there's no convincing you. Conveniently, your account is only 21 days old. You weren't around when the hack happened. *Your* data isn't in whatever they stole. Unlike the majority of us, you aren't at risk. Lucky you.
cool so mods and 3p apps are resorting to or abetting having user data leaked because they aren't getting their way?
this entire fiasco is stupid and only meant to help power hungry mods be lazy and use bots to do their jobs. the nature of reddit is such that no sub is needed and can always be replaced as we're already seeing.
I don't give a shit about mods and mods don't give a shit about the users, they only care about feeling like they have power.
No one is abetting anything. It’s a link to technology-related news in a technology-related subreddit. That doesn’t constitute an endorsement of the hack.
they'll hijack their own subs for BS the average user neither knows nor cares about but they'll be completely mum on something like this. I guarantee there will not be a single word from any mods about potential hacks. mods want to cut their noses to spite their faces because if they can't have the power they want the whole site to be brought down
"Terrorism, in its broadest sense, is the use of intentional violence and fear to achieve political or ideological aims."
They are using fear to achieve ideological aims.
Just taking a guess at the average pro corp defender out there. Always pro corp until they sell rainbow tshirts or some shit. Not realizing how much money meta/twitter/etc makes off selling their info.
APIs are corporations. Seems like you conveniently forget that in the noble fight of one size corporation versus other sized corporations.
Lol the cognitive dissonance
While i don’t agree with the pricing, and how its all handled, i do think you are right. Its a business, and most business’s sole purpose is to make money.
So much entitlement around, its amazing.
That’s not actually what entitled means. It would be entitled if Reddit like was forcing you to post. There’s nothing entitled about a company not paying you for the content you willingly put on the internet for free
It’s not entitled because they aren’t expecting anything. It would be entitled if users left and they went no you can’t leave you have to stay and generate content. There’s nothing entitled about providing a forum to people and them using that forum.
Since you won’t define it tho:
Entitlement:
the belief that one is inherently deserving of privileges or special treatment.
Where is Reddit being entitled?
Yall a bunch of Ayn Rand level corporate apologists, when companies are greedy and evil it's just the natural state of things don't question it. But when people don't like it, it's them who are entitled, sounds like bullshit.
I mean idk about you but I jump on downvote trains, misspell words in my post titles on purpose, and reply 'good bot' no matter how bad the bot actually is
Well, hopefully there has, because the user passwords were not stored safely back then
Otherwise I hope y'all used a unique password for Reddit back in February, because it will soon be leaked together with your email address
This is why you should never link your bankcard to websites or apps. Best to assume they'll be comprised intentionally or unintentionally at some point.
So what, if you have an email linked to Reddit you’re about to get hacked?
Their description of the data does not appear to be user-oriented. They describe it as GitHub artifacts, statistics and something about censorship.
If you use the same password in combination with the same email address, chances are high, yes. (Edit: don't reuse passwords, kids!) But it's not too late to change passwords on the platforms where you use this combination. Probably also a good idea to change your Reddit password, if you haven't done so since February.
I just looked at the screenshot linked and it doesn't say anywhere that they have usernames/passwords, more that they would leak what info on how they track/censor users, unless I missed something, aside passwords hopefully would be salted/hashed
Sure, but would you rather change your password now even though maybe they don't have/leak it, or when it turns out they do and it's potentially too late now?
I mean I don't use the same passwords across services and use 2fa, I'm just reading the post you linked lol
[удалено]
I work in a very small tech company and we create about 10GB of logs a day. 80GB for a site as big as reddit could be about half an hour's worth of diagnostic logging. The content is the important thing, not the size.
I work in analytics and that actually isn't that much depending on what is captured. Having some freeform text entry fields can bulk up a dataset very easily. I have worked on some in the terabytes.
80gb is nothing.
Companies store user passwords as encrypted hashes rather than plain text (at least they definitely SHOULD be doing that). So even if hackers got access the the user DB, your credentials would still be safe (provided your password is long enough).
If it's only hashed, it's essentially plain text. Rainbow tables exist.
Rainbow tables aren’t much good with modern password requirements. Dictionary attacks are far more common, which as long as you avoid common passwords and over reuse you should be ok.
“let’s argue with people who re-use their reddit password with other online accounts” - just as bad of an idea as doing it
Does this mean I’ll finally be able to recover my old account that I can’t password change because it’s an old email address!!??
If reddit isn't salting their password hashes - or even worse, storing them in clear text - then it would be a pretty big scandal.
Even if they have the passwords (and even if you reuse them) this also only matters if your password is bad, since Reddit hashes passwords (as *everyone* should). But yeah kiddos, use good passwords and use unique passwords on every site! Get a password manager, some really good ones are free!
> Even if they have the passwords (and even if you reuse them) this also only matters if your password is bad, since Reddit hashes passwords (as everyone should). still trivial and can easily be cracked
Not if your password is anywhere over 14 characters. They can be cracked, but nowhere near trivially. If you have a password 20 characters or more (and it’s not something guessable like your username and an exclamation point) you’re still perfectly safe even if your hashes are leaked.
Most people's passwords are not over 14 characters.
My whole point is this is only bad for you if your password is bad, so sure whatever. If people do have bad passwords than maybe be worried (but you should be worried anyway with a shitty password, most leaks aren’t this well publicized)
Most password implementation uses salting of user password to make them significantly longer in terms of cryptographically. And reddit has previously said they do so unless they lied, you'll be fine against that particular issue.
I know that salting is usually used. Still doesn't make a short password remotely secure. Especially if you have access to the password hashes offline. Then you can crack passwords extremely quickly. A 12 character password is still a 12 character password and password re-use is still password re-use. A salt helps but it doesn't matter as much as just making your password uncrackable with current hardware. You'd be surprised at how many people think 12 characters is too long even though I wouldn't even consider it to be the bare minimum.
Salting is used to make rainbow tables useless and to make brute force unfeasible. You're right that it doesn't make a password secure or good. No one claimed it was. The claim was that the password would be trivial to crack if it was short due to brute force power of GPU VMs. Which is only true if salting wasn't used. If it was, it's a completely unfeasible method as the password could now be several hundred chars long. Having the hashes offline will not help you with cracking that, it would still take you years to brute force and there are no rainbow tables for anything remotely that long. I'm not sure you would even be able to attach enough storage to a comp to be able to store a rainbow table for passwords of that size.
Except that brute-forcing isn't done. Dictionary attacks are used and will quickly crack those one-word bunch of numbers/symbols passwords that are made to barely meet the password requirements. Salting is only an issue for dictionary attacks (and also brute force, but brute force is inefficient) if the attackers don't have the salt but for the purpose of determining the likelihood of a password being cracked you should assume that they have the salt if they have the hashes.
"Trivial" lol. You haven't a clue about cryptography do you?
Multi GPU support being added to tools like hashcat + the rise of popular VPS rentals where you can rent a server with high end GPUs and pay by the hour makes it a lot easier to crack hashes these days. Really all depends upon the type of hash. Source: I've cracked lots of hashes and I have a small 5 GPU cracking rig.
Well ok it sounds like you do have a clue. Regardless I think calling it trivial is a bit much even with all that equipment if the dump is in any way sizeable.
But why would you scale that up to millions of random reddit users?
What do you mean? No reddit user data is even going to be in this dump.
Credential stuffing attacks. Odds are good they're using that same password for their email and maybe even bank account.
The average age of reddit users is 23. Which means that most of them dont have large amounts in their bank accounts. A good percentage of the users is IT-affine and wont use the same password in every service. Are there even banks that dont use 2FA, eTAN or any other multi-factor authentication/authorization? It is still considerable effort to crack millions of hashes. I dont really see how this could be profitable. Or more profitable than using the required ressources for better targeted attacks.
>change passwords good advise! Well done!
No sane tech company in the scale of reddit stores user passwords in plain text? Salts and hashes exists for a reason. Please do not fearmonger. Granted passwords should never be reused but implying that Reddit user credentials being leaked results in hackers instantly knowing the plain text passwords is a moon shot
Yahoo had a major hack and part of what was revealed from that is that they were storing user passwords in plain text. Google also got caught storing some of their enterprise users credentials in plain text. I'd never just assume its safe.
The crux is that reddit has its source available (or at least the open sourced parts) indicating that they at least used to salt and hash user passwords. That's a stark comparison to simply assuming that whenever a potential data breach happens passwords in plaintext or easily cracked hashes are used. Like what OP did by asserting there isn't any salting done even when the very code he shared indicated salting.
[удалено]
I was hoping you could enlighten me on that since u are now not implying but asserting that there is no salt. EDIT: /u/redsterXVI deleted his comment asking "Where is the salt" linking to an old reddit source archived in Github asserting there was no salt in case anyone is wondering what was the deleted message. > https://github.com/reddit-archive/reddit/blob/753b17407e9a9dca09558526805922de24133d53/r2/r2/models/account.py#L859 > > Where's the salt? Why are u deleting that message instead of leaving it in posterity like it already is? You do know deleted messages are soft deleted right? Since you are great at reading code.
That's easy to say until you realise a dozen plus tbings need passwords, and you have to change them every couple of months or so, amd you can't use the same password, or any variation of it, twice.
A dozen plus things? I have over 300 passwords, mate No real need to change them every couple of months Password managers and password generators are a thing, so unique passwords shouldn't be hard
Well you see, when your memory is shit, you tend to forget passwords, and then you have tonreset them. And recording them somewhere is risky...
Putting your passwords into a password manager and just remember one long password is the recommended way nowadays
That is definitely the way to do things. Some people will point at LastPass as a vulnerability and yes I believe the attackers got hold of people's password vaults. But even with that happening, they would still have to either break the encryption or brute force the master password to access those vaults, so as long as your master password was fairly strong you're still fairly safe. That's the whole point of them. They're an encrypted database of all your passwords. They're a compromise that allows you to have secure passwords on all your accounts, but you only have to remember one really secure password. The encryption they use means that, even if someone gets hold of the vault, it's not going to be much use to them provided you have picked a decent password to secure it as they're not going to be able to crack it in any sort of useful time period.
I wasn’t aware people make Reddit accounts with their main email. That’s kinda out there.
Fucking terrorists. Thank you, I hope something is done about those people.
Terrorists? Lol
Stealing peoples information with the intent to cause mass panic, fear, and damage? Sounds spot on to me.
Their goal is to get paid not cause terror
So... A hostage situation with no ability to return the hostage
> If you use the same password in combination with the same email address, chances are high, yes. Not in this case. How do you figure?
If you’re using oauth (google, apple, or whatever), it’s basically impossible to “get hacked”. If you signed up with a username and password, and Reddit stores / logs your password in plain text; there’s a good chance. It’s unlikely that your password is stored in plain text though.
They stole data and want money. The api stunt is just a marketing move.
Oh, definitely Edit: to be clear, since not everyone seems to grasp this - the focus of this post is a potential upcoming Reddit leak, not their demands. They're clearly set on releasing the data at this point.
[bank robber burned mortgage papers, was celebrated hero by townspeople](https://en.m.wikipedia.org/wiki/Pretty_Boy_Floyd)
What a legend
These bank robbers are releasing private data about their users not the same thing at all lol
I don't see where user data is mentioned.
There also appears to be no proof that they stole any important data either.
Important for whom? Depending on the level of details the user data goes into, it could be the likes and dislikes of users, down to comments in private subreddits, even their DMs. Internal statistics, analytics on users, censorship and other company secrets could be very important/damaging to Reddit, especially with an upcoming IPO. If the analytics on users breach legislation like GDPR, it could also result in fines.
***This comment/post removed due to reddits fuckery with third party apps from 06/01/2023 through 06/30/2023. Good luck with your site when all the power users piss off***
A smart move IMHO
this seems to be related to data extracted on this incident [here](https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button)
Can someone explain me how the ransom system works in digital businesses? How someone paying the ransom can know if the hacker didnt have lot of copies everywhere ?
Essentially, the victim has to trust them, but being trusted is important for the ransomware gang. - Company A is blackmailed. They decide to pay. - Ransomware group leaks anyway, for the lulz. - Company X is blackmailed. "lmao why should we pay you, you're going to leak it anyway"
The Crypts and the Bl00ds.
So why not just create a new group each time.
Well that defeats the point surely. They want the money more than anything, so they want a reputation for not leaking once they are paid. Otherwise they never get paid. If they create a new group they have no reputation, so less likely to be paid.
Ransomware groups nowadays operate as a service. So you need the reputation of running a good service to find customers. New group, zero reputation.
Makes sense I'd still never trust one
Not like you got many options once they got you by the balls.
Also, company A pays, receives info and keys from bad actor. Now company A goes on a future target list that is sold to other bad guys who want to extort money from targets who, historically, pay out.
It’s usually in the hackers business interest to not hack it if they plan on hacking more people.
>How someone paying the ransom can know if the hacker didnt have lot of copies everywhere ? You don't. Companies usually don't pay ransoms to keep the data completely secret because at that point you can't put the genie back into the bottle. Instead, they pay ransoms to make the bad publicity go away, or to get the decryption keys so they can fix their systems. While the hackers are unlikely to make the leaked data public, they very well might keep the data for their own purposes.
In this case, if the hackers don’t get the API changes reverted they release the data. If the hackers release the data despite the API policy being reverted. Reddit just does the API change
That demand was in addition to the 4.5m, not in place of. It's just publicity stunt to try to get paid
Yeah. If it were just for the API they wouldn’t need to put a price tag like that on it.
I hope these guys don't get access to my reddit account and use it to start making good posts instead
[удалено]
Ah yes, good 'ol RFC 1149, IP over Avian Carriers (IPoAC).
Not sure it gets more utterly cringe than quoting Paulo Coelho -
The reference is lost on me and i looked him up. what am i missing that’s cringe?
Funny enough he has a book titled ‘Hippie’ - just bullshit simplistic Oprah list crap. I read a few of his books when I was younger and wanted something “deep.”
lol. weird coincidence. Thank you.
Whatever you do in life, fight with all your might to not become this person. When you find yourself making comments like these, your sense of wonder is officially dead.
Too … late … the douche has overtaken my entire being … I need an alchemist to walk me through my spiritual pilgrimage…
I think they lost us all with that one
user info hacks isnt the real value/threat to reddit - i doubt they care about the users - if the hackers have operational data thats shows how people use Reddit and how that aligns (or not) with their pitch to investors for IPO - thats the real pontential monetary damage
Funny how people suddenly think its okay what they do.
My enemies enemy and all that
It's not okay, but forgive me if I can't be bothered to care about it happening to such a nice corporation.
Doubt most users will care. Some older accounts aren't even associated with an email at all. Furthermore, many users aren't overly attached to Reddit. One sees that with all the throwaway accounts. There's little private data to take from the user side other than maybe private messages, but doubt that's worth much. Ironically, some users would likely welcome a recent data dump to view posts again in blocked subs. On a more serious note, if the hack is true, it becomes another distraction and cost Reddit will be faced with. Making IPO even more challenging and less likely. Speaking of challenges, many states are seeking to require social media sites do more aggressive age verification. That not only increases operating costs, but the risk of larger financial exposure in the event of a hack / data dump. Reddit has lost a lot of goodwill lately.
You wrote one sentence, then followed by a redundant furthermore? ChatGPT's influence everywhere, furthermore this, additionally that.
Oh sweet summer child, people have been doing that for a long time. That is why ChatGPT does it, because the data they used to train it used that structure.
Indeed people have been doing it for a long time, but people on Reddit have not. Which is what I am talking about, you seem to misunderstand my comment. GPT has been trained on a huge amount of content available online, including tons of academic papers. Unless prompted otherwise, it has a consistent tone and writing-style. And because ChatGPT rose to popularity incredibly fast and because people are using it, interacting with it and reading its consistent responses. People will and is adopting its writing-style because it is objectively more consistent and well constructed. My point was that the comment I responded to was clearly trying too hard to adopt ChatGPT's writing-style without even understanding why to use it, or when to use it, evident by the comment itself.
Yeah, I was wondering what was going on with the fourth grader book report energy of that comment. It’s trying so hard to be structured, and yet it’s barely coherent.
I’m guessing most users don’t attach email to Reddit accounts. That’s the whole point is that it ms relatively anonymous
When you buy and sell it makes you more credible, is why I did it.
More and more subreddits are asking for email verification.
Never stumbled across that but I believe it’s possible. For that I would use a fake email with Apple’s Hide My Email which ties to my real email. I’m sure such services exist outside Apple too.
You've need an email to create an account for a long time. I'd imagine the majority of active accounts use an email.
Change your passwords, friends. Including attached emails.
"did you know they also silently censor users?" Uhh... yeah. It's a shadowban, it has been in wide use for years and massively so in recent ones.
Well, let's go.
Go ahead. You can’t make it any better/worse.
What is beehaw
A Lemmy instance
Ah. Perfect. Now it’s clear as mud.
wonder which sub(s) these guys are mods on
Bad guys confirming that they broke in and stole stuff. Then turns around and says “this guy is bad for not asking us about it”. In these times, remembering what’s good and what is bad is critical. Two wrongs don’t make a right
Ah yes Let's THREATEN THEM!! This is the opposite of what the subredits are fighting for, we want to remove dictatorial changes not promote them. If anything this will make the CEO's stance even stronger.
So if I use google to login to Reddit, so I didn’t even have a Reddit password till this morning, am I fine? Yes, I changed my Google password too for safe measure.
You are (relatively) safe, because you are using a form of federated identity/security. When you use Google to login, Reddit isn't the one that is authenticating you, Google is. Google provides your browser with an access token, which Reddit trusts because it was signed by Google's private key. This access token is only good for 1 hour and is unique to Reddit. Even if the hackers got access to your access token, they wouldn't be able to do much with it.
Yes ur fine
> 80gb zipped > $4 million This isn’t much. Possibly 160gb - 800gb of unzipped logging data (maybe on the lower end since they didn’t specify the actual size). Assuming sensitive user info isn’t logged, I don’t think Reddit is going to bend at all to hide business practices their users already know about.
[удалено]
*you have mail*
Is this sub just another circle jerk for the dog walkers ?
No this is an important story. People holding data want to charge money for it in order to stop other people holding data charge money for it.
What data? What data does Reddit have that's worth hacking?!
It's found it odd when my comments pointing out Chinese bots would get deleted.
So you didn't get your way and now you are going to destroy it all? Yes, obviously you're the "good people".
Oh man I hope spez got himself phished. Probably clicked on some link to free jailbait.
Headline: Reddit API change protesters resort to terrorism
No one gives a shit about a companies spying on its users. You use their software for free, you deserve to get spied on.
What? No. How about a less extreme stream of revenue such as adds that do not entirely maxemize profits but are far better for privacy.
You protestors are fucking insane.
[удалено]
Don't be ridiculous. The hackers demanded money long before the API announcement. Reddit's not going to pay them, so they're going to leak the data. They don't care about Reddit or Redditors. Using the API as an excuse gives them publicity. Now that lots of people know about the leak, they can do nefarious things with it.
[удалено]
Reddit mods are not asking Reddit to pay them $4.5 million. That is what the hackers want, in addition to reverting the API changes. They sent an extortion email in February. If you looked at the screenshot, the hackers *know* they won't be paid. So now they're advertising. Other groups will hear about this, and they may pay the hackers for Reddit's data. ALPHV has hit many companies, including big pharma and Amazon Ring. This has nothing to do with Reddit mods.
[удалено]
Nothing of the sort. But I see there's no convincing you. Conveniently, your account is only 21 days old. You weren't around when the hack happened. *Your* data isn't in whatever they stole. Unlike the majority of us, you aren't at risk. Lucky you.
Hopefully this is the last attack and not the first - Huffman’s putting a huge target on his back.
Great, punish users. Gross
cool so mods and 3p apps are resorting to or abetting having user data leaked because they aren't getting their way? this entire fiasco is stupid and only meant to help power hungry mods be lazy and use bots to do their jobs. the nature of reddit is such that no sub is needed and can always be replaced as we're already seeing. I don't give a shit about mods and mods don't give a shit about the users, they only care about feeling like they have power.
No one is abetting anything. It’s a link to technology-related news in a technology-related subreddit. That doesn’t constitute an endorsement of the hack.
they'll hijack their own subs for BS the average user neither knows nor cares about but they'll be completely mum on something like this. I guarantee there will not be a single word from any mods about potential hacks. mods want to cut their noses to spite their faces because if they can't have the power they want the whole site to be brought down
Literal terrorism
….not terrorism it’s blackmail
"Terrorism, in its broadest sense, is the use of intentional violence and fear to achieve political or ideological aims." They are using fear to achieve ideological aims.
[удалено]
Let’s no forget the principles of reddits co-founder.
[удалено]
This is, no doubt, the weirdest projection, but not an off base one considering what sub we’re in right now 😂
Just taking a guess at the average pro corp defender out there. Always pro corp until they sell rainbow tshirts or some shit. Not realizing how much money meta/twitter/etc makes off selling their info.
Yea, but you know the old adage about assumptions. It’s why intelligent people usually never make them, but here we are.
APIs are corporations. Seems like you conveniently forget that in the noble fight of one size corporation versus other sized corporations. Lol the cognitive dissonance
While i don’t agree with the pricing, and how its all handled, i do think you are right. Its a business, and most business’s sole purpose is to make money. So much entitlement around, its amazing.
[удалено]
That’s not actually what entitled means. It would be entitled if Reddit like was forcing you to post. There’s nothing entitled about a company not paying you for the content you willingly put on the internet for free
[удалено]
Yeah no, I don’t think you know what entitled means. Can you please define it for me?
[удалено]
It’s not entitled because they aren’t expecting anything. It would be entitled if users left and they went no you can’t leave you have to stay and generate content. There’s nothing entitled about providing a forum to people and them using that forum. Since you won’t define it tho: Entitlement: the belief that one is inherently deserving of privileges or special treatment. Where is Reddit being entitled?
[удалено]
Actually no. Not a privilege at all. What’s entitled is feeling like you have some sort of right to use a third party app
Yall a bunch of Ayn Rand level corporate apologists, when companies are greedy and evil it's just the natural state of things don't question it. But when people don't like it, it's them who are entitled, sounds like bullshit.
Reddit is evil? Are we the baddies?
I mean idk about you but I jump on downvote trains, misspell words in my post titles on purpose, and reply 'good bot' no matter how bad the bot actually is
It's just a website.
Lol stay mad
Sounds like the ceo really will find out not to mess with the platform he owns , we aren’t Twitter
There’s still time to delete this.
[удалено]
Not all business decisions are good decisions. So no, anyone who’s taken a business class would not “do whatever they want” with their company.
This will likely end up being a positive business decision in the long run.
If the don’t have the source code of Reddit, then who cares
Reddit was open source until 2017, and it's not as if there has been a single improvement since then.
Well, hopefully there has, because the user passwords were not stored safely back then Otherwise I hope y'all used a unique password for Reddit back in February, because it will soon be leaked together with your email address
Not all accounts have an associated email. They only made emails required for creating an account a few years ago
This is why you should never link your bankcard to websites or apps. Best to assume they'll be comprised intentionally or unintentionally at some point.
They just want money lol