Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don’t see that here, so for now there’s no reason to take them seriously yet.
No. If Reddit would negotiate with them, they’d probably leak small subsets as proof that they have actual data that isn’t available publicly. But with no negotiations, there’s not really any need for that.
If Reddit were to reach out privately to this group, the first thing they’d probably do is ask for proof. It’s trivially easy to provide proof you’ve carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you’re not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users’ own private account info or Reddit issues a disclosure about the hack (which I’m pretty sure they’re supposed to do regardless).
Is there any way to validate these claims?
Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don’t see that here, so for now there’s no reason to take them seriously yet.
It would still be really easy for Reddit to say “nah homie, thats not our data” even if it is and even if Reddit knows that it is.
How are the hackers able to verify that the data did come from Reddit?
No. If Reddit would negotiate with them, they’d probably leak small subsets as proof that they have actual data that isn’t available publicly. But with no negotiations, there’s not really any need for that.
If Reddit were to reach out privately to this group, the first thing they’d probably do is ask for proof. It’s trivially easy to provide proof you’ve carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you’re not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users’ own private account info or Reddit issues a disclosure about the hack (which I’m pretty sure they’re supposed to do regardless).