The messy aftermath of Reddit’s controversial API price increase might get messier. The ransomware hacker group BlackCat, which claimed responsibility for snatching 80GB of company data in February, is now demanding the news aggregator and community platform fork over $4.5 million and rescind its latest policy decisions or see all of this information get leaked out into the public. Oof.
Read More: Reddit’s CEO Is Just Making Everything Worse
BlackCat, which also goes by ALPHV, said it emailed Reddit twice asking for the company to comply with its demands, according to a post from cybersecurity researcher Dominic Alvieri and as reported by BleepingComputer.
“In our last email to them, we stated we wanted $4.5 million in exchange for the deletion of the data and our silence,” BlackCat said. “As we also stated, if we had to make this public, then we now demand that they also withdraw their API pricing changes along with our money or we will leak it.” Oh, how villainous.
BlackCat was able to siphon some of Reddit’s data earlier this year via a phishing attack, which allowed the group to steal employee data, internal documentation, source code, and bits of info on the company’s advertisers, according to company CTO and founding engineer Christopher Slowe. In a February 9 Reddit post, Slowe said the group tricked a single Reddit staffer, which then granted BlackCat access. The targeted employee later self-reported the incident and, according to Slowe, the company’s security team quickly removed the infiltrator’s access.
“On late February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Slowe said. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens. [However,] we show no indications of a breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data). [...] Based on our investigation so far, Reddit user passwords and accounts are safe.”
Kotaku reached out to Reddit for comment.
This all comes as Reddit faces harsh backlash over its decision to raise the price for third-party apps to access its API. Some apps like Apollo and Infinity have stated that the price hike could cost millions of dollars a year to maintain functionality, leading prominent subreddits—such as r/anime and r/gaming—to go dark to protest what many users view as unpopular changes for Reddit.