Reddit this week confirmed ransomware gang BlackCat, aka AlphaV, broke into its corporate systems in February.
The crew just the other day had bragged it stole 80GB from the biz, and had demanded the social media company pay $4.5 million to keep a lid on the data as well as ditch its controversial API pricing changes.
A spokesperson for Reddit declined to comment on BlackCat’s specific boasts, and insisted it’s not the result of a fresh intrusion. The theft happened a few months ago, and was the result of a “sophisticated phishing campaign” against its staff that Reddit said it encountered on February 5 and disclosed on February 9.
At the time, the company said that, as a result of that phishing, miscreants were able to grab “limited Reddit code, limited contact information for a small number of company contacts and employees (current and former), as well as limited advertiser information (no high risk data was accessed such as credit card details, company financial information, account passwords, campaign strategy or performance).”
In short, yes, someone grabbed its corporate data, but user information and accounts weren’t touched, or so we’re told. Production systems weren’t affected, the February announcement declared, and “we have no evidence to suggest that any Reddit information has been published or distributed online.”
That may change soon, however, as BlackCat said on Saturday: “We expect to leak the data.”
The BlackCat crooks claimed they stole 80GB of data during the intrusion and emailed Reddit about the break-in twice, once on April 13 and a second time on June 16. “There was no attempt to find out what we took,” the ransomware operators said.
“We are very confident that Reddit will not pay any money for their data,” the BlackCat post continued, adding that they demanded $4.5 million to delete the stolen data and not make it public, and also want the social media giant to reverse its planned API price hike.
“I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took,” the gang added. “Did you know they also silently sensor [censor? – ed.] users? Along with artifacts from their GitHub!”
Reddit’s other issues
The blackmail attempt comes as Reddit struggles to put out several other fires, including a backlash over its plan to charge for API access: $0.24 per 1,000 calls.
As we’ve pointed out in earlier stories about the pricing scheme: this adds up to tens of millions of dollars a year for popular third-party apps, such as Apollo, Reddit is Fun, and Sync, which rely on the API to customize and improve the Reddit experience for forum moderators and netizens. It all seems like an attempt to thoroughly squeeze the pips of these applications, or force their developers to shut down over costs and drive more people to the official Reddit app — something the company would probably like to see ahead of its long-predicted IPO this year.
Reddit CEO Steve Huffman has since said that he’s following the Elon Musk playbook, and that the API pricing plan will help the company turn a profit. The makers of next-gen AI models have also been extracting a ton of training data from Reddit, and now Reddit is keen to get a slice of those developers’ fortunes by making them pay for API access.
Reddit also announced layoffs earlier this month.
Emsisoft Threat Analyst Brett Callow, who posted a screenshot of BlackCat’s demands, said that the ransomware gang “likely do not care about the API pricing.”
“Their intention is simply to demonstrate to other victims that they can cause ongoing harm to a business long after an attack, so payment is the least painful option,” Callow said.
Callow noted another “non-monetary ransom”: specifically, the Lapsus$ demand that Nvidia open source its driver code after the extortion gang stole, and later dumped online, the GPU giant’s data in February 2022.
Earlier this year, BlackCat operators breached the security of major Australian law firm HWL Ebsworth, and has since leaked sensitive information including data belonging to the law firm’s federal agency clients.
In February, the crew broke into an American health-care provider — Lehigh Valley Health Network (LVHN) — and stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people before posting at least some of that data online.
A cancer patient whose nude medical photos and records were shared has sued LVHN for allowing the “preventable” and “seriously damaging” leak. ®