
Someone claims to have hacked ProtonMail - drexlspivey
https://pastebin.com/bwvqHhbA
======
dnlsrl
> Protonmail compromises their users data without their knowledge and charges
> each user a monthly subscription fee. Therefore we felt morally justified
> compromising Protonmail’s data without their knowledge and charging them a
> fee for it’s return.

> If they decline again we will [...] sell [all customer data] in bulk to the
> highest bidder on the darknet

Funny that their moral sense tells them to compromise Protonmail's data
because it "charges each user a monthly subscription fee", but it ignores the
fact that they might affect users' private information if they release it to
the public. Even if they're not lying about the hacking, what's really
bullshit is their belief that they're doing the right thing.

------
protonmail
This is a hoax and failed extortion attempt, and there is zero evidence to
suggest otherwise. Not a single claim made there is true, and many of the
claims are also unsound from a technical standpoint.

------
investigated124
The email in the post is at the domain: msgden.com. This domain redirects to:
[https://www.msgsafe.io](https://www.msgsafe.io). Another encrypted email
system. Seems pretty clear this may just be a marketing tactic to steal
customers from ProtonMail.

------
DyslexicAtheist
"This extortion attempt is a hoax and have seen zero evidence to suggest
otherwise." \--
[https://twitter.com/ProtonMail/status/1063392853014048768](https://twitter.com/ProtonMail/status/1063392853014048768)

------
rebuilder
This stinks to high heaven IMO - they're threatening to release e-mails
detailing "rampant pedophilia" among high-placed individuals? Sure, that's not
odd at all. I guess that's there to leverage the pizzagate believers for extra
publicity.

That said, there is a claim that should be verifiable - that Protonmail have
not enable SRI and that this leaves users vulnerable. Does this claim hold up?
I'll admit I'm not familiar enough with SRI to even say whether it does what
the pastebin suggests it does. Them calling it "mandatory" seems like another
manipulation, though - mandated by who?

~~~
detaro
that claim doesn't make sense. SRI protects your site against third-parties
changing the files you include from them in your site. Here the claim seems to
be that ProtonMail changed files to snoop on users using their website, SRI
doesn't help against that.

------
blueprint
It's funny how their whole thing is "protonmail knowingly did something bad",
while they threaten to release innocents' user data if they don't get paid a
small sum.

------
gabrielblack
Goofy hoax:

"The alleged hacker has been busy posting to various image boards and stating
that they would send $20 in bitcoin to anyone who spread the word about this
hack using the #Protonmail hashtag on Twitter".
[https://www.bleepingcomputer.com/news/security/hacker-say-
th...](https://www.bleepingcomputer.com/news/security/hacker-say-they-
compromised-protonmail-protonmail-says-its-bs/)

"A closer reading of some of the claims, e.g. "circumventing the Geneva
convention, underwater drone activities in the Pacific Ocean, and possible
international treaty violations in Antarctica", etc, should also cause a
reasonable observer to draw the same conclusion".
[https://www.reddit.com/r/ProtonMail/comments/9xjrch/protonma...](https://www.reddit.com/r/ProtonMail/comments/9xjrch/protonmail_hacked_or_just_hoax/)

------
upofadown
>We are offering it back to Protonmail for a small fee, if they decline then
we will publish or sell user data to the world.

That doesn't make sense. Why are they posting this if they are hoping for some
successful extortion? How would extortion even make sense in the first place?
You can't return data.

------
francislavoie
Interesting. I did receive an email about unread messages from Protonmail just
yesterday. I haven't used it in years and don't remember ever getting emails
to my other account either. Thought it seemed fishy, I just ignored it.

~~~
bartbutler
We sent out an update about security features.

------
egberts1
Well, if Proton hosted the CSS or JS elsewhere other than their main server
and someone did a MitM on those files, well ... yeah.

~~~
protonmail
We don't use a CDN.

