According to some reports, $250,000 has been offered to the group of hackers that leaked HBO’s various shows prior to their release by the HBO itself. This is all taken from a screenshot of the conversation that the attackers released.
On 27th July, a senior vice president of HBO made the said offer, making the payment seem like a reward for discovering flaws in the network’s security system and not what it really is, which is a ransom agreement.
While we cannot verify if the email is authentic or not and if it has been tampered with in any way, we know for sure that the same address that the attackers had was used to leak the stolen data prior to this.
In the message sent by HBO, its executive says that the network has been working hard since the leak happened to review the material that the hacker made available to them, but haven’t managed to go through all of it yet.
Further on, the executive points that the hackers had the advantage of surprising them and asked the attackers to extend their deadline for a week.
He then went on and offered a bug bounty payment of $250,000 to the hackers once they acquire them with the necessary account and Bitcoin.
This is most probably just an attempt of stalling to get more time, rather than being an actual proposal of payment. Four days after they offered the so-called bug bounty, the network came clean and told the public about experiencing a cyber-incident, which compromised proprietary information, as they put it.
The hackers released a script for Game of Thrones and two yet to be aired episodes of Ballers and Room 104 on the same day. A week after the payment offer has been made, on 3rd August, the hackers added more evidence on the pile of the hacked content, finishing off with a statement that they have access to the network’s whole web mail system. HBO denied this claim.
Afterward, the hackers released personal details on the actors playing the Game of Thrones, like email addresses, phone numbers alongside emails and confidential files from HBO, updating their demand to a multimillion dollar ransom.
Bug bounty payments are known as common in cyber security and are designed to encourage people to find and fix issues in the security systems rather than sell the sensitive information to possible attackers.
But the way this has been executed is what is uncommon. It doesn’t happen often that the bounty payments get paid after the active exploitation of a bug to steal substantial quantities of data. Even more uncommon is for the bug bounty payments to be paid to attackers who demand payments by making a video of text rolling with dramatic music in the background in which the demand a payment of six months salary, or $6m – as the HBO attackers did.