Reddit hackers demand R82 million and scrapping of controversial API fees
A ransomware gang allegedly behind a recent Reddit hack has threatened to leak stolen internal data unless it gets paid $4.5 million (R82.03 million) — and Reddit backtracks on its controversial API fees for third-party apps.
Engadget reports that the BlackCat group, also called ALPHV, claimed responsibility for infiltrating Reddit’s systems through a phishing attack in early February 2023.
The incident occurred after one employee fell for a prompt which led to a credential-harvesting website mimicking the design and functioning of Reddit’s internet gateway.
The attack, confirmed by Reddit a few days after it occurred, allowed the actors to extract internal documents, dashboards, code, contracts, and some advertisers’ and employee information.
Reddit said it was unaware that the attack had led to the leaking of passwords or any non-public data.
In a post titled “The Reddit Files” on BlackCat’s dark web leak page, the group said the data it had stolen amounted to 80GB in a compressed file format.
To avoid leaking the data, the actors have demanded that Reddit pay $4.5 million (R82.03 million) and reverse its plan to implement expensive API fees for third-party apps.
Reddit’s proposed high fees for accessing its APIs have sparked a revolt among moderators in the past few weeks due to its devastating impact on popular third-party mobile apps like Apollo and Reddit is Fun.
The apps’ developers have said the issue is not that Reddit wants to charge for its API, but how much it’s charging compared to other players in the space.
Apollo developer Christian Selig said whereas 50 million API calls on Reddit’s planned fees would work out to about $12,000, the same number on Imgur comes to $166.
Reddit’s API tariffs led to over 8,000 subreddits going dark for several days last week out of protest, while numerous popular subreddits have committed to staying private unless Reddit changes course on the API fees.
Reddit unlikely to pay
BlackCat said it previously contacted Reddit on two occasions — in April and June — with its demands, but the company had not yet responded.
Therefore, it was “very confident” that Reddit would not pay the ransom, after which it planned to leak the data.
While Reddit would not provide answers to TechCrunch over BlackCat’s claims around the nature of the data or whether it would respond to its demands, it confirmed that the group’s claim related to the February phishing attack.
BlackCat was also behind an attack on Western Digital in March 2023.
In that incident, 10TB of data, including customer names and partial credit card details, was stolen from the computer hardware and cloud storage company.