Reddit, the popular social media platform, is currently grappling with the fallout of a security breach by the BlackCat ransomware gang, also known as ALPHV. The group has claimed responsibility for a February 2023 cyberattack, asserting that they have stolen 80 gigabytes of compressed data from Reddit’s systems12.
The BlackCat gang has since threatened to leak this confidential data unless their demands are met. Alongside a $4.5 million ransom for the deletion of the stolen data, they are also insisting that Reddit reverses its contentious new API pricing changes. The group reportedly made its first demand in April 2023 and followed up in June 2023 after receiving no response from Reddit12.
The security breach itself dates back to early February, when Reddit’s systems were reportedly compromised in a “sophisticated and highly targeted phishing attack”12. Initially, Reddit claimed that the hackers had accessed employee information and internal documents, but they found “no evidence” that personal user data, such as passwords and accounts, had been stolen13.
Amid this security crisis, Reddit’s new API pricing plans have stirred considerable controversy among its user base. Popular third-party Reddit app Apollo announced its closure as a result of the new pricing, and thousands of subreddits, including r/music and r/videos, went dark in protest13. Critics argue that the pricing changes, which charge $0.24 per 1,000 API calls, could rack up costs in the tens of millions of dollars annually for popular third-party apps that rely on the API to enhance the Reddit experience for forum moderators and users3.
While some believe that Reddit’s pricing changes are an attempt to drive more users towards the official Reddit app, the company’s CEO, Steve Huffman, has stated that the pricing plan is a necessary measure for the company to turn a profit. Huffman also alluded to the vast amount of training data extracted from Reddit by developers of next-gen AI models, asserting that Reddit should get a share of these developers’ fortunes by making them pay for API access3.
As of now, Reddit has not publicly responded to the ransom demands or indicated plans to reverse its API pricing changes. However, the company’s refusal to meet these demands could potentially lead to the public release of the stolen data131.
This data breach comes on the heels of Reddit’s struggles with backlash over its API pricing changes and recent layoffs3. Furthermore, it’s worth noting that the BlackCat gang has previously been linked to significant cyberattacks on Western Digital and Australian law firm HWL Ebsworth, among others13.
(Note: Further updates to this story may become available after the time of writing, and it is recommended to check the latest news for the most current information.)