The criminal group behind the February Reddit hack is now demanding $4.5 million and the dropping of API changes, or the stolen data will be published.
I’ve seen a few sites welcome the news with glee, as though Reddit’s leadership is going to be strongly affected. That’s childish and myopic. This is bad news for everyone.
Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit’s users, e.g. people who’ve posted risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or matched to their normal accounts via their IP or other common details. PMs and other private account details might contain mailing addresses and other private or compromising information, too. (Edit: as Phoeniqz points out in replies, the article author assumes this is not the case based on Reddit’s and BlackCat’s statements about the leak.)
If Reddit knew about the breach earlier and didn’t do their due diligence to alert users, then that’s further condemnation of their leadership and priorities, but it doesn’t undo the damage this might cause users.
If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn’t, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.
We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached.
I’ve seen a few sites welcome the news with glee, as though Reddit’s leadership is going to be strongly affected. That’s childish and myopic. This is bad news for everyone.
Whether or not Reddit pays, we should assume the data will make its way into the hands of people who (further) weaponize it against Reddit’s users, e.g. people who’ve posted risque photos of themselves or shared compromising details through throwaway accounts can be doxxed or matched to their normal accounts via their IP or other common details. PMs and other private account details might contain mailing addresses and other private or compromising information, too. (Edit: as Phoeniqz points out in replies, the article author assumes this is not the case based on Reddit’s and BlackCat’s statements about the leak.)
If Reddit knew about the breach earlier and didn’t do their due diligence to alert users, then that’s further condemnation of their leadership and priorities, but it doesn’t undo the damage this might cause users.
If Reddit were to pay BlackCat, then it would further enrich, reward, and encourage them. If, as is more likely, it doesn’t, then the blowback it receives (especially from any high profile consequences of the leak) might encourage other companies to pay up in future.
From the article:
Because Reddit is known for being forthright and honest…