While I'm glad no data was leaked and that Samuel is taking the layered defense approach seriously as it was wildly debated on the previous HN thread, I'm still a bit miffed that we only got confirmation that no leak actually occurred now.
As a Newsblur customer, would have really preferred the following course of action: lock down infrastructure, confirmation that no leak occurred, communication of that fact to customers and THEN service recovery. While this was all happening, the only indication that most likely no data was leaked was a single HN commenter that had a similar experience:
https://news.ycombinator.com/item?id=27615708
Newsblur mangled the formatting of a very large amount of newsletters I forwarded. The grouping per sender was great, but not really worth it if many newsletters end up unreadable.
Considering Newsblur's solution relied on setting up (sender/subject) filters on your email provider, I just kept doing that, but instead of forwarding to Newsblur, I now direct them all to a separate folder.
Lost the grouping per sender, but I honestly didn't explore an alternative too much. Even if Newsblur didn't mess with the newsletters' HTML and displayed them as GMail does, it was just too much of liability to blindly forward emails to a third party service like that: many companies do obnoxious things like send transactional emails from the same address as their newsletters, or blur the line between what is bulk and targeted mail, and I'd rather not have things like emails with flight information and other random tidbits of personal data floating around in someone's MongoDB.
I paid Samuel and entrusted him with my data. Not too much, but enough for it to matter. When faced with a massive leak like this, he downplays everything, calls the hacker a "script kiddie" and calls this "good practice for what will be the first of many sleepless nights", looking at it only from a "service disruption" perspective.
So far we've gotten no indication of what's been leaked, if it contains deleted feeds, or what he's doing to prevent the data from being leaked by the hacker, if anything. He's been solely focused on restoring the service and ignoring the leak. Compared to not having access to an RSS reader for any random period of time, the leak is orders of magnitude more serious to me and I'd wager to most of Newsblur customers.
I honestly don't care if paying a ransom or interacting with the hacker makes him more likely to be targeted in the future, his duty towards his customers was to keep their private data private and not only he failed at that, but he doesn't even seem to register that as his main priority. As far as I'm aware, if he allows the data to leak publicly, then there's no "recovering from there", he's not getting any more of my money.
This is horrific. So the hacker is claiming to have a copy of our data. 0.03 BTC is less than $1000. Regardless of you being able to restore from backups, I assume you're paying the ransom to hopefully avoid the leak, right?
Samuel's nonchalant reply to this is highly disturbing to me. I'm a Newsblur customer and as far as I can tell, my feed data is in the hands of some hacker and he doesn't care at all. I am much less concerned about the service being restored, which seems to be all that he's worried about, and more about knowing who has my data.
On top of that, I used to use his "forward newsletters to Newsblur" feature for a long time. I've long stopped using it and deleted all the feeds with newsletters, partly because it never worked very well, but mostly because I more or less had an inkling that something like this would happen and it's just not worth it, too many email newsletters leak personal data all over the place. However, I have no clue if those were really deleted or if they stuck around in MongoDB.
Clarification what exactly the ransom is (did he just dump it locally and encrypt it? or did the hacker download it and is threatening to leak it?) would be very welcome.
As a Newsblur customer, would have really preferred the following course of action: lock down infrastructure, confirmation that no leak occurred, communication of that fact to customers and THEN service recovery. While this was all happening, the only indication that most likely no data was leaked was a single HN commenter that had a similar experience: https://news.ycombinator.com/item?id=27615708