Hackers on Reddit Issue Ultimatum for $4.5 Million and API Alterations or Risk Leak of 80GB of Data
Reddit disclosed in February that it had fallen prey to a focused phishing attack that resulted in the exposure of confidential documents, code, dashboards, and contracts, as well as the personal information of some advertisers and current and former employees. Although none of the data has been made public, this could change soon. BlackCat, also known as ALPHV, a ransomware gang, has claimed responsibility for the breach and says it has 80GB of compressed data. In a post titled “The Reddit Files,” BlackCat has stated that it will erase the information if Reddit pays $4.5 million and reverses API price hikes.
BlackCat collected the data using a system where employees were prompted by “credible-sounding prompts” to visit a website designed like Reddit’s intranet gateway. One person got excited about the trick, which allowed hackers to steal their login information and another author’s credentials. The person then self-reported the mistake, and it is believed that the security breach did not compromise the personal information of Reddit users.
Now, months later, the hackers have publicly exposed themselves amid site-wide protests against API price hikes (yes, the same ones BlackCat is so admirably demanding to be overturned). The increased costs are forcing popular third-party apps like Narwhal and Apollo to shut down, and Apollo creator Christian Selig claims he would have to spend $20 million a year to stay in business. Developers also fear that losing third-party apps will lead to more censorship and fewer opportunities to generate ad revenue.
In a massive protest, up to 8,000 subreddits went dark at once, but with mixed results, Reddit doubled down on its plans. “These people who are mad, they’re mad because they used to get something for free, and now it’s not going to be free,” Reddit CEO Steve Hoffman said in an interview with The Verge. He has also suggested that moderators who do not make “popular” decisions are easier to remove. While Reddit shows no signs of reversing its decision, some advertisers have been suspended on the site as power outages continue.
It’s uncertain how this new development will affect API pricing, if at all, as Reddit has yet to comment on whether it will comply. BlackCat claims Reddit ignored its two previous attempts to contact it, in April and June, and doesn’t hold out much hope that a public ultimatum will make a difference. “We are very confident that Reddit is not paying any money for their data,” BlackCat stated in its post. “We expect information to leak.”