Reddit has confirmed hackers accessed internal documents and source code following a “highly-targeted” phishing attack.
A post by Reddit CTO Christopher Slowe, or KeyserSosa, explained that the company became aware of the “sophisticated” attack targeting Reddit employees on February 5. He says that an as-yet-unidentified attacker sent “plausible-sounding prompts” that redirected employees to a website masquerading as Reddit’s intranet portal in an attempt to steal credentials and two-factor authentication tokens.
Slowe said that “similar phishing attempts” have been reported recently, without naming specific examples. However, he likened the breach to the recent Riot Games hack, which saw attackers use social engineering tactics to access source code for the company’s legacy anticheat system.
Reddit said that hackers successfully obtained a single employee’s credentials, enabling them to gain access to gained access internal documents and source code as well as some internal dashboards and business systems.
Slowe said the company learned of the breach after the phished employee self-reported the incident to Reddit’s security team, enabling it quickly cut off the infiltrators’ access and commence an internal investigation.
Reddit, which has more than 50 million daily uses, said its investigation has concluded that limited contact information for “hundreds” of current and former employees, as well as some advertiser information, was also accessed. However, the company says it has “no evidence” to suggest that personal user data and other non-public data has been stolen, published, or distributed online.
Regardless, Reddit has recommended that all users set up 2FA on their accounts and use a password manager. “Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site,” Slowe says.
“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills,” he added. “As we all know, humans are often the weakest part of the security chain.”
Reddit suffered a more serious data breach in 2018 that saw attackers access a complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, hashed passwords, emails, public posts and private messages.