HBO Offers Hackers $250,000 'bug bounty'

HBO reportedly offered $250,000 (£193,000) to the group that hacked its servers under the guise of a “bug bounty”, according to a screenshot of the conversation released by the attackers.

A senior vice president of the company made the offer on 27 July, phrasing the payment as a reward for discovering weaknesses in HBO’s network rather than acceding to ransom demands.

There is no way to verify the authenticity of the email, or whether it has been altered, but it was shared with some outlets through the same email address that the attackers had previously used to leak stolen data.

In the message, the executive says HBO has “been working hard since Sunday evening [23 July] to review all of the material that you have made available to us. We simply have not yet been able to do so”.

The executive continues: “You have the advantage of having surprised us. In the spirit of professional cooperation, we are asking you to extend your deadline for one week.

“As a show of good faith on our side, we are willing to commit to making a bug bounty payment of $250,000 to you as soon as we can establish the necessary account and acquire bitcoin.”

The offer may have been an attempt to stall for time, rather than a genuine proposal of payment. HBO explained about the hack four days after the bug bounty payment was offered, telling the public that it had experienced a “cyber-incident, which resulted in the compromise of proprietary information”.

A script for Game of Thrones, and two unreleased episodes of dramas Ballers and Room 104, were put online the same day. A week after the payment offer, on 3 August, the attackers sent out more evidence of hacked materials, and claimed to have access to the company’s entire webmail system, a claim denied by HBO.

The hackers later released the personal details of some Game of Thrones actors, including email addresses and phone numbers, plus some HBO emails and confidential files, along with a renewed demand for a multimillion dollar ransom.

Bug bounty payments are a common occurrence in cybersecurity, designed to encourage third-parties to discover and report weaknesses found in security systems so they can be fixed, rather than sell the information to would-be attackers.

But it is uncommon for them to be paid following the active exploitation of a bug to steal substantial quantities of data, and extremely uncommon for them to be paid to attackers who deliver payment demands in the form of a video of scrolling text set to dramatic music, asking for a payment of “six months’ salary”, or $6m, as the HBO attackers did.

At least one Hollywood hack victim has paid the ransom demanded by attackers, according to the Hollywood Reporter. But most victims refuse to talk about the ransom requests, fearing that admission they paid will make them a target for future attacks.

Guardian:

You Might Also Read:

Hackers Steal Game of Thrones Script:

Hacker Holds Netflix To Ransom:

 

« Chinese Satellite Sends Hack-Proof Messages
Cyber Security Risks Of Cloud Computing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Orange Cyberdefense

Orange Cyberdefense

Orange Cyberdefense is the expert cybersecurity business unit of the Orange Group, providing managed security, managed threat detection & response services to organizations around the globe.

Cyber Risk Agency

Cyber Risk Agency

Cyber Risk Agency is a cybersecurity consulting firm specializing in managing cyber risks for SMEs.

NTNU Center for Cyber & Information Security (NTNU CCIS)

NTNU Center for Cyber & Information Security (NTNU CCIS)

NTNU CCIS is a national centre for research, education, testing, training and competence development within the area of cyber and information security.

Quorum Cyber

Quorum Cyber

Quorum Cyber offer end-to-end cyber security solutions, specialising in Managed Security Services, Consulting and Resourcing.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

TechDemocracy

TechDemocracy

TechDemocracy are a trusted, global cyber risk assurance solutions provider whose DNA is rooted in cyber advisory, managed and implementation services.

Darkbeam

Darkbeam

Darkbeam provides a unified solution to protect against security, brand and compliance risks across your digital infrastructure.

Reflectiz

Reflectiz

Reflectiz empowers digital businesses to make all web applications safer by non-intrusively mitigating any website risks without a single line of code.

SecAlliance

SecAlliance

SecAlliance is a cyber threat intelligence product and services company.

Rausch Advisory Services

Rausch Advisory Services

Rausch delivers solutions that address compliance, enterprise risk, information technology and human resource capital.

Institute for Applied Network Security (IANS)

Institute for Applied Network Security (IANS)

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk.

Ingenics Digital

Ingenics Digital

Ingenics Digital is a recognized initiator and leading service provider in the areas of software development and embedded systems.

BreakPoint Labs

BreakPoint Labs

BreakPoint Labs is dedicated to providing the methods and means for sustainable, measurable, and effective cybersecurity operations.

Cipher Net Shield

Cipher Net Shield

Cipher Net Shield specializes in secure E-wallet solutions with a strong focus on blockchain and cybersecurity, prioritizing both transaction security and the recovery of lost capital.

Secolve

Secolve

Secolve is Australia’s next generation OT specialist cyber security firm, working with key industries to protect the nation’s critical infrastructure.