2 comments

[ 0.20 ms ] story [ 18.8 ms ] thread
What the author says they did:

    What I found: 173 Gravatar email hashes sitting in Bellingcat’s public
    WordPress sitemap, completely unprotected.

    I cracked 89 of those hashes back into the original email addresses.
    I pulled 32 full Gravatar profiles containing real names, locations,
    social media accounts, and bios. 

    I scraped all 1,318 published articles for author intelligence
    and cross-referenced everything against Gravatar’s public API. 
    Over half of Bellingcat’s staff and contributors were de-anonymized
    from a single sitemap.
Why the author says they did it:

    I was kicked from their Discord for posting a gif in an inactive
    channel. [Non mod users] lectured me about rules I hadn’t broken,
    and within minutes I was banned. The reason logged by their system?
    "Discord ToS/Threats."

    Bellingcat operates a crossban system that propagates bans across
    affiliated OSINT communities. I was automatically banned from
    Project Owl: A OSINT Community server I had never interacted with.
Due to our increasingly dead internet, I've become a bit more sympathetic to heavy handed moderation (in general). Especially if the moderation team is reachable and reasonable. In this article, I see no indication the author reached out anyone at Bellingcat about his ban.

Further, Bellingcat exists in a space where they push back against some of the most powerful entities in Earth. I assume that brings security nuances I am not aware of.