Event planning site Meetup.com has been intermittently offline for four days after refusing to pay hackers $300 to prevent a distributed denial of service attack.
The site is currently back online for most users, but is still under attack, CEO Scott Heiferman told Reuters.
The company has refused to hand over the small ransom on the basis it would probably encourage the perpetrators to ask for more money.
“It’s a cat-and-mouse game,” Heiferman said, adding he was not yet sure how long it would take to keep the site reliably online.
The attack kicked off late last week after the company received a warning that it would be subject to a distributed-denial-of-service (DDoS) attack unless it paid $300. Heiferman said in a blog post the company didn’t “negotiate with criminals”, prompting multiple attacks over several days.
“We believe this low-ball amount is a trick to see if we are the kind of target who would pay,” he wrote. “We believe if we pay, the criminals would simply demand much more.”
The company said that no personal data, including credit-card information, had been accessed.
Refunds for members
Heiferman said he was open to the possibility of some financial relief for members who pay between $12 and $17 a month to organise Meetup groups in their geographic and thematic areas of interest. He said his first priority was to resume the service.
“We’re going to come out of this much stronger,” he said. “And I don’t mean that as just a trite euphemism, I mean it literally. Like, we are going to be much more secure.”
The FBI has been investigating the attack since last week. The attack was the first in the site’s 12-year history.
Meetup has almost 17 million members and, when online, was signing up between 15,000 and 20,000 people every day.
The site represented a soft target for online criminals, who often attempt to extort companies in return for calling off DDoS attacks, said Kevin Johnson, CEO of cyber security consultancy Secure Ideas.
“It’s very common for this sort of attack to start off with a small demand,” Johnson said. “It’s not like Meetup can write a check for a million dollars.”
Heiferman’s blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began. He said Meetup spent millions of dollars a year to secure its systems.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.