We finally had Credit Karma's lawyers reach out. First, the volume of Twitter ads is going to increase exponentially. Before that, we should prepare good reports and easy to consume evidence, and this takes time. Walking through DNS records from CNAME to the lowest levels of L2 of the OSI model is incredibly complex, barely documented, and is something perhaps only a couple hundred engineers in the world can do end-to-end.
Second, certain things weren't known about how proxies, tunneling, and IPv4-IPv6 conversion works when the first CK posts were written back in December. Instead of just raising the question of "what are these bizarre things with no explanation" we will make very educated guesses as to what is going on.
More is needed than data though. Opportunity and motive must exist as well, and these we are prepared to address.
Third, we are debating whether or not to name specific names at Credit Karma, and the contracting firm Robert Half, with regards to who knew what and when. That is a difficult and tricky decision because we do not want to give the impression that others are innocent, but yet also the reality is most of CK is completely innocent and unaware. That this was even discovered, was a coincidence that arose out of a single email that an individual was accidentally CC'd.
Fourth, the reality is Credit Karma is a somewhat older firm. The theft and mass compilation of data was solved by many parties about a decade ago. That someone would also design a firm as essentially a giant "honeypot" (and we are not going to describe CK as this quite yet) is also not a particularly groundbreaking concept. We will do our best to cover these and document easily and disperse widely as we can. But other researchers have quite frankly written, documented, and said more. We hope to promote their work later on.
Finally, we take a very democratic approach and submit to people, especially the working and middle classes of the US and UK, whether this merits further investigation.