Comment by fivefives55555

Comment by fivefives55555 6 hours ago

23 replies

View on Hacker News

I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.

It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.

So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.

eek2121 4 hours ago

Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this.

Reply View 1 reply
  • immibis 2 hours ago

    Their controls are buffed up: all of those accounts are linked due to having been created with the same IP address. If one is blocked, they all are. If you try to circumvent this with a well-known proxy (such as Tor or a V"P""N") you will find that captcha activation will not exist as an option.

    Reply View 0 replies
overfeed 2 hours ago

I'll go out on a limb and say it: it's an American cybersecurity agency. Proton's CEO/Proton[1] loves the current US admin. I wouldn't be surprised if they comply now and ask questions later, if at all.

1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.

Reply View 2 replies
  • nerpderp82 an hour ago

    Proton is a honey watering hole pot. This has always been clear.

    Reply View 0 replies
  • Yiin 2 hours ago

    if I didn't knew better, that would sound plausible, but the truth is much more boring (for the better)

    Reply View 0 replies
a0123 6 hours ago

Which the reddit fanatics on their sub are bending over backwards to defend and explain away when there is no two ways about it tbh.

Reply View 0 replies
baxtr 5 hours ago

On a positive note: having reach on social media can solve problems nowadays.

Reply View 7 replies
  • nicce 3 hours ago

    The effect is opposite - things get fixed only when you get enough social noise and that is not good.

    Reply View 0 replies
  • zapzupnz 3 hours ago

    So, if you have sufficient influence, you can get things moving.

    What about those of us nobodies with no influence?

    Reply View 4 replies
    • jackstraw42 3 hours ago

      well, you can't get the same stuff done that the folks with influence can. like they're working with a better toolbox.

      Reply View 3 replies
      • fn-mote 2 hours ago

        Which is all cool until Google rug-pulls your influence and you’re back to zero… in which case it doesn’t sound like a tool anymore.

        Maybe a tool with DRM embedded would be an appropriate analogy?

        Reply View 2 replies
  • brookst 3 hours ago

    And there’s no shortage of people excited to hop on the next outrage train.

    With good cause, in this case, but the crowds wielding pitchforks don’t much care either way.

    Reply View 0 replies
j-bos 6 hours ago

> Phrack reached out to Proton in private multiple times, and Proton ghosted them.

According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356

They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."

Reply View 8 replies
  • commmentator 6 hours ago

    You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline."

    Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.

    You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.

    Reply View 5 replies
    • j-bos 6 hours ago

      That's a great point. I guess at this point it'd be ideal for them to treat this an incident and do a proper postmortem with timelines and decision calculus.

      Reply View 3 replies
      • commmentator 6 hours ago

        Definitely agree. A frank postmortem would be a good thing to see.

        Reply View 0 replies
      • alsetmusic 5 hours ago

        But that would be contrary to their clear intention thus far: to sweep this under the rug. /s

        I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.

        Reply View 1 reply
        • Insanity 4 hours ago

          This is honestly sad to see. I use Proton and advocate it to others. This does make me rethink my position somewhat - although I’d argue it’s still better than Google / Microsoft-owned email services.

          Reply View 0 replies
    • [removed] 5 hours ago
      [deleted]
      Reply View 0 replies
  • nsagent 6 hours ago

    To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time.

    Reply View 0 replies
  • a0123 6 hours ago

    Sorry but doubt.

    The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.

    As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").

    Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.

    Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.

    Reply View 0 replies