A sophisticated and highly targeted phishing attack led to the hacking of the Reddit systems. Reports say attackers were given access to some internal business systems, code, and documentation.
In an effort to acquire credentials and two-factor tokens, the attacker, as with other phishing attacks, sent out plausible-sounding prompts directing employees to a website that mimicked the behavior of our intranet gateway.
Specifics of Sophisticated Phishing Campaign
On February 5, 2023, late (PST), Reddit learned of a sophisticated phishing campaign that was aimed at Reddit employees.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, and code, as well as some internal dashboards and business systems.
“We show no indications of a breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data)”, Reddit explains.
Limited contact information for (presently hundreds of) firm contacts, employees (both present and past), as well as limited advertiser information, were exposed.
“We have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online”, according to Reddit.
Notably, Reddit mention that the impacted employee immediately reported that they had been phished, and the security team rapidly took action by blocking the intruder’s access and starting an internal inquiry.
Without mentioning any names, the company said, “Similar phishing attacks have recently been reported.” It made no mention of the source code that was accessed as a result of the security breach.
“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills”.
“As we all know, the human is often the weakest part of the security chain”, Reddit said.
How to Protect Your Account?
- Setting up 2FA (two-factor authentication) will add an additional degree of security to your Reddit account access.
- Changing your password on a regular basis is a smart idea; just make sure it’s strong and distinct for maximum security.
- Make use of a password manager! They not only offer fantastically complex passwords but also add an additional layer of security by alerting you before you enter your password on a phishing website.
Network Security Checklist – Download Free E-Book