The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where threat actors claim to have stolen 80GB of data from the company.

February 9, Reddit revealed that its systems had been hacked on February 5 after an employee fell victim to a phishing attack.

This phishing attack allowed threat actors to gain access to Reddit’s systems and steal internal documents, source code, employee data, and limited advertiser data from the company.

“After successfully obtaining the credentials of a single employee, the attacker gained access to some internal documents, code, as well as some internal dashboards and corporate systems,” explained a publication by Reddit CTO Christopher Slowe, aka KeyserSosa.

“We show no indication of violation of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”

However, Reddit said the production systems were not hacked and no passwords, accounts or credit card information were affected.

Although Reddit didn’t share many details about the phishing attack, they said it looked like a Phishing attack on Riot Games which allowed hackers to access systems and steal source code for League of Legends (LoL), Teamfight Tactics (TFT), and the company’s former anti-cheat platform Packman.

During the attack on Riot, the threat actors demanded $10 million to withhold stolen data. However, when a ransom was not paid, threat actors attempted to sell the data for $1 million on a hacking forum.

BlackCat behind Reddit hack

As first spotted by Dominique Alvieri and shared with BleepingComputer, the ALPHV ransomware operation, popularly known as BlackCat, now claims to be behind the Feb. 5 cyberattack on Reddit.

In a “Reddit Files” post on the gang’s data leak site, the threat actors claim they stole 80GB of compressed data from the company during the attack and now plan to release the data.

The threat actors say they tried to contact Reddit twice, on April 13 and June 16, demanding $4.5 million for data removal, but received no response.

“I told them in my first email that I would wait for their IPO. But this seems like the perfect opportunity! We are very confident that Reddit will not pay money for their data,” threatened the ransomware operation.

“But I’m very happy to know that the public will be able to read all the statistics they track about their users and all the interesting confidential data we have taken. Did you know that they also silently censor users? With artifacts from their GitHub!”

While Reddit declined to comment on BlackCat’s post, BleepingComputer was able to confirm that this is the same attack disclosed by Reddit in February.

It should be noted that although BlackCat is a ransomware gang, they did not encrypt the devices in this attack.

The same pirate group is believed to be linked to a similar group attack on Western Digital in March 2023, causing a massive failure to the company’s My Cloud cloud service.

While the threat actors behind the Western Digital attack initially claimed to be unnamed, screenshots of the stolen data have been leaked to data leak site ALPHV, with the threat actors taunt the company about the attack.

Western Digital sent data breach notifications in May, notify customers of the online store that their data was stolen in the attack.