BlackCat threatens to leak 80GB of Reddit data

Ransomware gang ALPHV, most commonly known as BlackCat, is allegedly responsible for the theft of 80GB of data from social media site Reddit. 

The allegation comes directly from the ransomware gang, who have claimed responsibility for a data breach that happened in February of this year. In a post on the gang’s data leaks site, BlackCat claimed to have stolen 80GB of compressed data during the attack and are planning on selling it. 

The malicious actors claimed to have contacted Reddit on both April 13 and June 16, demanding the site pay them US$4.5 million to delete the data, but received no response. BlackCat said that as they are “very confident that Reddit will not pay any money for their data”, they will be selling it.

The threat actors said that they are “very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data [they] took”. The gang also claimed that Reddit “silently censor” users. 

Source: BleepingComputer

Cyber security news site, BleepingComputer, said that it was able to confirm that the attack referenced by BlackHat was the phishing attack against Reddit in February of this year.

The February phishing attack against Reddit

The breach occurred on February 5, after a phishing attack was launched at Reddit employees. The site said the attack contained “plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens”. 

After obtaining an employee’s credentials, the malicious actors were then able to gain access to Reddit’s internal systems. This meant that the hackers accessed Reddit’s internal business systems, dashboard, documents and source code.  

After being alerted to the phishing attack by the employee whose account was accessed, Reddit said it “removed the infiltrator’s access” and launched an investigation into the breach. The site noted that “similar phishing attacks” had been reported recently. 

The data accessed in the breach included “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information”, but Reddit confirmed that “user passwords and accounts are safe”.

The site also reported that there was “no evidence” any of its primary production systems being accessed, or that any of its users’ “non-public data” had been accessed or posted online.

Reddit launched an internal investigation into the breach, as well as enhancing its security systems. Additionally, it urged users to enable multi-factor authentication and use a password manager both to set up complex passwords and to prevent themselves from being phished.