Reddit Files: BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from Reddit

The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack.

In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents, code, and some business systems.

The company announced it was hit by a sophisticated and highly-targeted attack that took place on February 5, 2023. A highly-targeted phishing attack hit the employees of the company. The company pointed out that Reddit user passwords and accounts were not compromised.

The spear-phishing messages redirected users to a website mimicking the company’s intranet gateway, the landing page was designed to trick victims into providing credentials and second-factor tokens.

“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.” reads a notice published by the company.

Once obtained a single employee’s credentials, threat actors gained access to some internal docs, code, as well as some internal dashboards and business systems. The primary production systems of the company were not compromised.

“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information.” continues the notice. “Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

The company states that the phished employee self-reported and launched an internal investigation to determine the extend of the incident. The Security team responded quickly to the incident by locking out the intruders.

Now the BlackCat/ALPHV ransomware gang claimed responsibility for the February cyberattack on the company. The cybercrime gang claims to have stolen 80GB of data (zipped) from Reddit. The group attempted to contact Reddit twice, on April 13 and June 16, without success.

“Operators broke into Reddit on February 5, 2023, and took 80 gigabytes (zipped) of data. Reddit was emailed twice by operators, once on April 13 and one again on June 16. There was no attempt to find out what we took.” reads the messages pubished by the ransomware group on its Tor data leak site. “This is again another instance of Steve Huffman undermining his own agenda. He makes an effort to appear tough, but we are all aware of what happens to individuals like him when businesses go public. such as Adam Neumann of WeWork. I told them in my first email that I would wait for their IPO to come along. But this seems like the perfect opportunity! We are very confident that Reddit will not pay any money for their data. But I am very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data we took.”

BlackCat/Alphv group is demanding $4.5 million to delete the stolen data.

Did you know they also silently censor users? Along with artifacts from their GitHub! In our last email to them, we stated that we wanted $4.5 million in exchange for the deletion of the data and our silence. As we also stated, if we had to make this public, then we now demand that they also withdraw their API pricing changes along with our money or we will leak it.” continues the message. “We expect to leak the data. Pass on the torch, Spez, you’re no longer cut out for this kind of work.”

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital.

The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)