Reddit 2023 Breach: Employee Phishing, 80GB Exfiltrated, BlackCat/ALPHV Ransom Demand

Reddit disclosed on February 9, 2023 that, four days earlier, it had been hit by a 'sophisticated and highly-targeted' spear-phishing campaign. The messages directed employees to a site impersonating Reddit's intranet gateway, which harvested both credentials and second-factor tokens. One employee's account was compromised, allowing the attacker to reach internal documents, internal dashboards, business systems, source code, and information about hundreds of current and former employees and contacts, as well as some advertiser data. The phished employee self-reported, and Reddit said it locked out the intruder and found no evidence that production systems, user passwords, or user accounts were compromised.

In June 2023, the BlackCat (also known as ALPHV) ransomware-as-a-service group publicly took credit for the February intrusion, listing Reddit on its leak site and claiming to hold about 80GB of compressed data. The group said it had demanded $4.5 million for deletion of the data. Notably, BlackCat tied its public threat to Reddit's controversial API pricing changes, saying it would release the data unless Reddit paid and reversed the API price increases. No file-encrypting ransomware was deployed; the operation was a data-theft extortion.

Reddit did not publicly confirm paying any ransom, and the threatened mass release did not materialize as a wholesale public dump in the immediate aftermath. The incident underscored that even security-conscious platforms remain exposed to credential-phishing that defeats both passwords and 2FA at the human layer.