13 comments

[ 3.0 ms ] story [ 41.0 ms ] thread
>We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world.

That doesn't make sense. Why are they posting this if they are hoping for some successful extortion? How would extortion even make sense in the first place? You can't return data.

Interesting. I did receive an email about unread messages from Protonmail just yesterday. I haven't used it in years and don't remember ever getting emails to my other account either. Thought it seemed fishy, I just ignored it.
We sent out an update about security features.
This stinks to high heaven IMO - they're threatening to release e-mails detailing "rampant pedophilia" among high-placed individuals? Sure, that's not odd at all. I guess that's there to leverage the pizzagate believers for extra publicity.

That said, there is a claim that should be verifiable - that Protonmail have not enable SRI and that this leaves users vulnerable. Does this claim hold up? I'll admit I'm not familiar enough with SRI to even say whether it does what the pastebin suggests it does. Them calling it "mandatory" seems like another manipulation, though - mandated by who?

that claim doesn't make sense. SRI protects your site against third-parties changing the files you include from them in your site. Here the claim seems to be that ProtonMail changed files to snoop on users using their website, SRI doesn't help against that.
> Protonmail compromises their users data without their knowledge and charges each user a monthly subscription fee. Therefore we felt morally justified compromising Protonmail’s data without their knowledge and charging them a fee for it’s return.

> If they decline again we will [...] sell [all customer data] in bulk to the highest bidder on the darknet

Funny that their moral sense tells them to compromise Protonmail's data because it "charges each user a monthly subscription fee", but it ignores the fact that they might affect users' private information if they release it to the public. Even if they're not lying about the hacking, what's really bullshit is their belief that they're doing the right thing.

This is a hoax and failed extortion attempt, and there is zero evidence to suggest otherwise. Not a single claim made there is true, and many of the claims are also unsound from a technical standpoint.
It's funny how their whole thing is "protonmail knowingly did something bad", while they threaten to release innocents' user data if they don't get paid a small sum.
Well, if Proton hosted the CSS or JS elsewhere other than their main server and someone did a MitM on those files, well ... yeah.
The email in the post is at the domain: msgden.com. This domain redirects to: https://www.msgsafe.io. Another encrypted email system. Seems pretty clear this may just be a marketing tactic to steal customers from ProtonMail.
Goofy hoax:

"The alleged hacker has been busy posting to various image boards and stating that they would send $20 in bitcoin to anyone who spread the word about this hack using the #Protonmail hashtag on Twitter". https://www.bleepingcomputer.com/news/security/hacker-say-th...

"A closer reading of some of the claims, e.g. "circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica", etc, should also cause a reasonable observer to draw the same conclusion". https://www.reddit.com/r/ProtonMail/comments/9xjrch/protonma...